Splunk Enterprise

Splunk forwarder is running but in Forwader:Management in MC is not active

pacifikn
Communicator

Greetings!!

 

I'm getting the warning alerts showing me that splunk forwarder is not active, as shown on the below pic,

pacifikn_1-1653236925375.gif

splunk forwarder is running (/opt/splunkforwarder/bin/splunk status
) but in Monitoring Console under Forwader:Management is not active it's showing a missing status,as shown on the above screenshot

even when I try to stop and restart the splunkforwader service(/opt/splunkforwarder/bin/splunk stop) can't be stopped, as shown on the below screenshot

pacifikn_0-1653236818923.gif

Kindly help me on how i can fix the error,

pacifikn_2-1653237054199.gif

Kindly help and guide me on how to fix this,

Thank you in advance.

 

 

 

 

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The second screenshot is not from the universal forwarder.

It seems you have problems forwarding the events to indexers. Question is why. Check the splunkd.log on each of those troublesome components and look for errors. Maybe network problems, maybe TLS issues...

0 Karma

pacifikn
Communicator

Dear  @PickleRick ,

Search peer Splunkidx03 has the following message: Detecting bucket ID conflicts: idx=_internal, bid=_internal~518~B239BEEE-90FA-43C8-ADDA-620D3FACAB66, path1=/opt/splunk_data/indexes/_internaldb/db/518_B239BEEE-90FA-43C8-ADDA-620D3FACAB66, path2=/opt/splunk_data/indexes/_internaldb/db/db_1651988707_1651737547_518_B239BEEE-90FA-43C8-ADDA-620D3FACAB66. Temporally resolved by disabling the bucket: path=/opt/splunk_data/indexes/_internaldb/db/DISABLED-db_1651988707_1651737547_518_B239BEEE-90FA-43C8-ADDA-620D3FACAB66. Please check this disabled bucket for manual removal.

 

is the above error gives you more info on how you could advice me to fix the following error,

I checked on splunkd.log  

05-22-2022 19:54:03.001 +0200 WARN TcpOutputProc - Applying quarantine to ip=x.x.x.13 port=9997 _numberOfFailures=2
05-22-2022 19:54:03.004 +0200 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) failed validation; error=10, reason="certificate has expired"
05-22-2022 19:54:03.004 +0200 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='certificate expired'.
05-22-2022 19:54:03.004 +0200 ERROR TcpOutputFd - Connection to host=x.x.x..14:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-22-2022 19:54:03.004 +0200 WARN TcpOutputProc - Applying quarantine to ip=x.x.x.14 port=9997 _numberOfFailures=2
05-22-2022 19:54:03.007 +0200 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) failed validation; error=10, reason="certificate has expired"
05-22-2022 19:54:03.007 +0200 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='certificate expired'.
05-22-2022 19:54:03.007 +0200 ERROR TcpOutputFd - Connection to host=x.x.x.15:9997 failed. sock_error = 0. SSL Error = error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
05-22-2022 19:54:03.008 +0200 WARN TcpOutputProc - Applying quarantine to ip=x.x.x.15 port=9997 _numberOfFailures=2
05-22-2022 19:54:08.090 +0200 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group primary_indexers has been blocked for 11520 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
05-22-2022 19:54:18.001 +0200 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group primary_indexers has been blocked for 11530 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
05-22-2022 19:54:22.247 +0200 INFO CMBucket - set bucket summary bid=nc_fw_sophos~1265~A91B9781-86B7-4ECC-9DF2-D6C6F6B75A08 summaryId=F237DE98-1722-40E2-AA0E-9964094F7F12_DM_Splunk_SA_CIM_Web peer=9F50A957-648B-40D7-8B1D-CB8E511C8EA5 type=data_model state=done modtime=1653242047.000000 checksum=7E3C17CAACC1DD664BD299E51A27F53D508F1B1B49BB18AB41F56995DA0ACA03
05-22-2022 19:54:26.759 +0200 INFO ClientSessionsManager:Listener_AppEvents - Received count=9 AppEvents from DC ip=x.x.x.12 name=EF0E61E4-E613-4114-8794-822E03173A9C

 

With the above info, may you help me to understand more about the error and hw to fix it?

Thank you in advance!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...