Problem with Sending logs from DomainController to...

d4wc3k · ‎06-22-2020

Hello Everyone on Splunk Forum

I have problem with sending DC to Splunk Setup.
This DC machine first should send logs to IFs tier and after this place events in indexer.

I have checked internal logs for this particular machine with "ERROR" log_level.
Interesting thing which has found by me is problem with 'TcpOutputFd'
There are folling messages

Connection to host=10.200.80.11:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.12:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.13:9997 failed
I am not very familiar with managing distributed Splunk setup - I am still learning new things.

Could you please tell me how i can resolve this problem.

Thanks

BR
Dawid

anilchaithu · ‎06-22-2020

@d4wc3k

you need to check couple of things

1) Is there any firewall between DC & intermediate forwarder?

you can check this from DC doing telnet forwarderip:9997

2) IS ssl enabled for this transfer? If so certs should match

you can check this in "inputs.conf" on intermediate forwarder

d4wc3k · ‎06-23-2020

1) DC don't have any problems with cionnections to IFs on 9997 dest port.
2) What should be checked ?
Do I need compare ssl cert on IF with cert in splunk agent on DC machine ?
If yes I am not sure what is location of cert on DC machine

On IF side I can see that it's in /opt/splunkforwarder/etc/apps/name_of_app/auth/cacert.pem

Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

configuration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?