Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to send logs from one heavy forwarder to another. Getting the "sock_error=104. ssl_error=error:00000000" message?

lawrence_magpoc
Path Finder
‎04-26-2023 01:42 PM

I'm trying to send logs from one heavy forwarder to another over the port 9998. It connects but for some reason, it closes right after

04-26-2023 16:33:48.141 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connected to idx=<ip>:9998:0, pset=0, reuse=0. autoBatch=1
04-26-2023 16:33:48.238 -0400 INFO AutoLoadBalancedConnectionStrategy [18998 TcpOutEloop] - Connection to <ip>:9998 closed. context=write sock_error=104. ssl_error=error:00000000:lib(0):func(0):reason(0)

Is this really ssl related issue? But I have this in my outputs.conf though
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslPassword = password

Can anyone please help me to get around this?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-27-2023 01:56 AM

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-27-2023 01:56 AM

@lawrence_magpoc - I would say this is difficult to say without looking at the actual configuration on the System.

But I would recommended looking at all the configuration again and see with this document if you have done all the steps and done it right or not.

 

I hope this helps!!! upvote is appreciated!!

 

Reply
Solved! Jump to solution

lawrence_magpoc
Path Finder
‎04-28-2023 10:04 AM

You were right. It was my config after all. It had this line before

sendCookedData = false

and apparently that's what was giving the "connection closed" message. I omitted that and now I'm no longer getting that message. Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...