Solved: How to troubleshoot error with SH and index cluste...

SplunkNinja · ‎01-03-2023

I have a SH that is not part of SH Cluster. The SH is connected to an Index Cluster. I am seeing the following errors on the Indexers (W.X.Y.Z is the IP address of the SH)

ERROR TcpInputProc [2317 FwdDataReceiverThread] - Error encountered for connection from src=W.X.Y.Z:46788. error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol

I don't think there is a mismatch of sslVersions. Please help me troubleshoot this.

richgalloway · ‎01-03-2023

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config. Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-03-2023

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config. Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

SplunkNinja · ‎01-09-2023

Thanks @richgalloway

Yes - the outputs.conf on the SH did not have a reference to the SSL/TLS cert being used. I added the path to the cert file and password. it's now working 😀

How to troubleshoot error with SH and index cluster?

administration

configuration

troubleshooting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!