Splunk Enterprise

How to troubleshoot error with SH and index cluster?

SplunkNinja
Path Finder

I have a SH that is not part of SH Cluster.  The SH is connected to an Index Cluster.  I am seeing the following errors on the Indexers (W.X.Y.Z is the IP address of the SH)

ERROR TcpInputProc [2317 FwdDataReceiverThread] - Error encountered for connection from src=W.X.Y.Z:46788. error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol

I don't think there is a mismatch of sslVersions.   Please help me troubleshoot this.

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It looks like the SH is trying to send its logs to the indexers, but doesn't have the correct SSL config.  Verify the SH has the same outputs.conf settings as the SHC.

---
If this reply helps you, Karma would be appreciated.

SplunkNinja
Path Finder

Thanks @richgalloway 

Yes - the outputs.conf on the SH did not have a reference to the SSL/TLS cert being used.  I added the path to the cert file and password.  it's now working 😀

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...