Splunk Enterprise

How to troubleshoot error with SH and index cluster?

SplunkNinja
Path Finder

I have a SH that is not part of SH Cluster.  The SH is connected to an Index Cluster.  I am seeing the following errors on the Indexers (W.X.Y.Z is the IP address of the SH)

ERROR TcpInputProc [2317 FwdDataReceiverThread] - Error encountered for connection from src=W.X.Y.Z:46788. error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol

I don't think there is a mismatch of sslVersions.   Please help me troubleshoot this.

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

SplunkNinja
Path Finder

Thanks @richgalloway 

Yes - the outputs.conf on the SH did not have a reference to the SSL/TLS cert being used.  I added the path to the cert file and password.  it's now working 😀

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...