I have problem with sending DC to Splunk Setup. This DC machine first should send logs to IFs tier and after this place events in indexer.
I have checked internal logs for this particular machine with "ERROR" log_level. Interesting thing which has found by me is problem with 'TcpOutputFd' There are folling messages
Connection to host=10.200.80.11:9997 failed. sock_error = 10054. SSL Error = No error Connection to host=10.200.80.12:9997 failed. sock_error = 10054. SSL Error = No error Connection to host=10.200.80.13:9997 failed I am not very familiar with managing distributed Splunk setup - I am still learning new things.
Could you please tell me how i can resolve this problem.
1) DC don't have any problems with cionnections to IFs on 9997 dest port. 2) What should be checked ? Do I need compare ssl cert on IF with cert in splunk agent on DC machine ? If yes I am not sure what is location of cert on DC machine
On IF side I can see that it's in /opt/splunkforwarder/etc/apps/name_of_app/auth/cacert.pem