Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can we not establish connection with HTTP event collector?

domaquino
Loves-to-Learn Lots
‎05-24-2022 06:28 PM

I'm trying to forward events to a Splunk instance using the HTTP event collector (http://<splunk_instance>:8088/services/collector/event) but it seems that the connection is being rejected by Splunk. The error I'm getting is: "read tcp 127.0.0.1:46660->127.0.1.1:8088: read: connection reset by peer"

The HTTP event collector is configured as:

Enable SSL: true

HTTP Port number: 8088

 

 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 09:42 PM

"Connection reset by peer" means that the other side actively closed the connection after initially accepting it. Which usually means - in this case - that the server is listening on the port anf the traffic isn't firewalled (otherwise you'd get connectiin timeout or connection refused) but your client isn't allowed by the configuration.

One interesting thing though is that you're saying you're connecting to an external instance but the error refers to localhost connection, has a strange form of localhost address (127.0.1.1) and seems to be from the server's side saying that client closed the connection.

0 Karma
Reply

domaquino
Loves-to-Learn Lots
‎05-24-2022 10:26 PM

Where do we set the allowed clients configuration here in Splunk? What I only did was to get the token of the Splunk instance and put it the configuration file of the client.

Also, the client (where the alert events will be coming from) and the server (Splunk) is on the same linux virtual machine.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 11:24 PM

Check for errors on both sides of the connection. If this was indeed a message from the server, which would mean that the client interrupted the connection, it would typically mean SSL misconfiguration.

In such a case the client would attempt to connect to the server, the server would accept the TCP connection, at least one party would start the TLS handshake but - especially if the TLS was enabled on the client and disabled on the server - if the client couldn't agree with the server on TLS parameters, it would drop the connection.

So make sure that TLS parameters are the same on both sides.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...