Problem with Sending logs from DomainController to...

d4wc3k · ‎06-22-2020

Hello Everyone on Splunk Forum

I have problem with sending DC to Splunk Setup.
This DC machine first should send logs to IFs tier and after this place events in indexer.

I have checked internal logs for this particular machine with "ERROR" log_level.
Interesting thing which has found by me is problem with 'TcpOutputFd'
There are folling messages

Connection to host=10.200.80.11:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.12:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.13:9997 failed
I am not very familiar with managing distributed Splunk setup - I am still learning new things.

Could you please tell me how i can resolve this problem.

Thanks

BR
Dawid

anilchaithu · ‎06-22-2020

@d4wc3k

you need to check couple of things

1) Is there any firewall between DC & intermediate forwarder?

you can check this from DC doing telnet forwarderip:9997

2) IS ssl enabled for this transfer? If so certs should match

you can check this in "inputs.conf" on intermediate forwarder

d4wc3k · ‎06-23-2020

1) DC don't have any problems with cionnections to IFs on 9997 dest port.
2) What should be checked ?
Do I need compare ssl cert on IF with cert in splunk agent on DC machine ?
If yes I am not sure what is location of cert on DC machine

On IF side I can see that it's in /opt/splunkforwarder/etc/apps/name_of_app/auth/cacert.pem

Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation