Splunk Enterprise

Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

Path Finder

Hello Everyone on Splunk Forum

I have problem with sending DC to Splunk Setup.
This DC machine first should send logs to IFs tier and after this place events in indexer.

I have checked internal logs for this particular machine with "ERROR" log_level.
Interesting thing which has found by me is problem with 'TcpOutputFd'
There are folling messages

Connection to host= failed. sock_error = 10054. SSL Error = No error
Connection to host= failed. sock_error = 10054. SSL Error = No error
Connection to host= failed
I am not very familiar with managing distributed Splunk setup - I am still learning new things.

Could you please tell me how i can resolve this problem.



Labels (2)
Tags (1)
0 Karma



you need to check couple of things

1) Is there any firewall between DC & intermediate forwarder?

you can check this from DC doing telnet forwarderip:9997

2) IS ssl enabled for this transfer? If so certs should match

you can check this in "inputs.conf" on intermediate forwarder 

0 Karma

Path Finder

1) DC don't have any problems with cionnections to IFs on 9997 dest port.
2) What should be checked ?
Do I need compare ssl cert on IF with cert in splunk agent on DC machine ?
If yes I am not sure what is location of cert on DC machine

On IF side I can see that it's in /opt/splunkforwarder/etc/apps/name_of_app/auth/cacert.pem

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...