Splunk Enterprise

Unable to send logs from one heavy forwarder to another. Getting the "sock_error=104. ssl_error=error:00000000" message?

lawrence_magpoc
Explorer

I'm trying to send logs from one heavy forwarder to another over the port 9998. It connects but for some reason, it closes right after

04-26-2023 16:33:48.141 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connected to idx=<ip>:9998:0, pset=0, reuse=0. autoBatch=1
04-26-2023 16:33:48.238 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connection to <ip>:9998 closed. context=write sock_error=104. ssl_error=error:00000000:lib(0):func(0):reason(0)

Is this really ssl related issue? But I have this in my outputs.conf though
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslPassword = password

Can anyone please help me to get around this?

Labels (2)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

lawrence_magpoc
Explorer

You were right. It was my config after all. It had this line before

sendCookedData = false

and apparently that's what was giving the "connection closed" message. I omitted that and now I'm no longer getting that message. Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...