Splunk Enterprise

How to troubleshoot error with SH and index cluster?

SplunkNinja
Path Finder

I have a SH that is not part of SH Cluster.  The SH is connected to an Index Cluster.  I am seeing the following errors on the Indexers (W.X.Y.Z is the IP address of the SH)

ERROR TcpInputProc [2317 FwdDataReceiverThread] - Error encountered for connection from src=W.X.Y.Z:46788. error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol

I don't think there is a mismatch of sslVersions.   Please help me troubleshoot this.

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

SplunkNinja
Path Finder

Thanks @richgalloway 

Yes - the outputs.conf on the SH did not have a reference to the SSL/TLS cert being used.  I added the path to the cert file and password.  it's now working 😀

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...