Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to send logs from one heavy forwarder to another. Getting the "sock_error=104. ssl_error=error:00000000" message?

lawrence_magpoc
Explorer
‎04-26-2023 01:42 PM

I'm trying to send logs from one heavy forwarder to another over the port 9998. It connects but for some reason, it closes right after

04-26-2023 16:33:48.141 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connected to idx=<ip>:9998:0, pset=0, reuse=0. autoBatch=1
04-26-2023 16:33:48.238 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connection to <ip>:9998 closed. context=write sock_error=104. ssl_error=error:00000000:lib(0):func(0):reason(0)

Is this really ssl related issue? But I have this in my outputs.conf though
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslPassword = password

Can anyone please help me to get around this?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎04-27-2023 01:56 AM

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎04-27-2023 01:56 AM

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

Reply
Solved! Jump to solution

lawrence_magpoc
Explorer
‎04-28-2023 10:04 AM

You were right. It was my config after all. It had this line before

sendCookedData = false

and apparently that's what was giving the "connection closed" message. I omitted that and now I'm no longer getting that message. Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...