I'm trying to forward events to a Splunk instance using the HTTP event collector (http://<splunk_instance>:8088/services/collector/event) but it seems that the connection is being rejected by Splunk. The error I'm getting is: "read tcp 127.0.0.1:46660->127.0.1.1:8088: read: connection reset by peer"
The HTTP event collector is configured as:
Enable SSL: true
HTTP Port number: 8088
"Connection reset by peer" means that the other side actively closed the connection after initially accepting it. Which usually means - in this case - that the server is listening on the port anf the traffic isn't firewalled (otherwise you'd get connectiin timeout or connection refused) but your client isn't allowed by the configuration.
One interesting thing though is that you're saying you're connecting to an external instance but the error refers to localhost connection, has a strange form of localhost address (127.0.1.1) and seems to be from the server's side saying that client closed the connection.
Where do we set the allowed clients configuration here in Splunk? What I only did was to get the token of the Splunk instance and put it the configuration file of the client.
Also, the client (where the alert events will be coming from) and the server (Splunk) is on the same linux virtual machine.
Check for errors on both sides of the connection. If this was indeed a message from the server, which would mean that the client interrupted the connection, it would typically mean SSL misconfiguration.
In such a case the client would attempt to connect to the server, the server would accept the TCP connection, at least one party would start the TLS handshake but - especially if the TLS was enabled on the client and disabled on the server - if the client couldn't agree with the server on TLS parameters, it would drop the connection.
So make sure that TLS parameters are the same on both sides.