Splunk Enterprise

Can see lot of ERROR messages in universal forwarders

kiranpanchavat1
Path Finder

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=xxxx:xxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you check that you are not sending e.g. some tcp feed to splunk-tcp port which are expecting S2S protocol. There should be separate ports for other than S2S traffic defined one per different protocols.

0 Karma

kiranpanchavat1
Path Finder

@isoutamo 


We created separate inputs.conf for SSL 

cat inputs.conf
[splunktcp-ssl:9997]
disabled=0

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Have you defined on both side (UF and Indexer) that port the same way and also use the same certs etc?

Have you a separate port for splunktcp or are you using only splunktcp-ssl? You cannot mix that traffic to one port.

r. Ismo

0 Karma

kiranpanchavat1
Path Finder

@isoutamo Will check those configs and let you know 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...