Splunk Enterprise

Can see lot of ERROR messages in universal forwarders

kiranpanchavat1
Path Finder

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=xxxx:xxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you check that you are not sending e.g. some tcp feed to splunk-tcp port which are expecting S2S protocol. There should be separate ports for other than S2S traffic defined one per different protocols.

0 Karma

kiranpanchavat1
Path Finder

@isoutamo 


We created separate inputs.conf for SSL 

cat inputs.conf
[splunktcp-ssl:9997]
disabled=0

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Have you defined on both side (UF and Indexer) that port the same way and also use the same certs etc?

Have you a separate port for splunktcp or are you using only splunktcp-ssl? You cannot mix that traffic to one port.

r. Ismo

0 Karma

kiranpanchavat1
Path Finder

@isoutamo Will check those configs and let you know 

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...