Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can we not establish connection with HTTP event collector?

domaquino
Loves-to-Learn Lots
‎05-24-2022 06:28 PM

I'm trying to forward events to a Splunk instance using the HTTP event collector (http://<splunk_instance>:8088/services/collector/event) but it seems that the connection is being rejected by Splunk. The error I'm getting is: "read tcp 127.0.0.1:46660->127.0.1.1:8088: read: connection reset by peer"

The HTTP event collector is configured as:

Enable SSL: true

HTTP Port number: 8088

 

 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 09:42 PM

"Connection reset by peer" means that the other side actively closed the connection after initially accepting it. Which usually means - in this case - that the server is listening on the port anf the traffic isn't firewalled (otherwise you'd get connectiin timeout or connection refused) but your client isn't allowed by the configuration.

One interesting thing though is that you're saying you're connecting to an external instance but the error refers to localhost connection, has a strange form of localhost address (127.0.1.1) and seems to be from the server's side saying that client closed the connection.

0 Karma
Reply

domaquino
Loves-to-Learn Lots
‎05-24-2022 10:26 PM

Where do we set the allowed clients configuration here in Splunk? What I only did was to get the token of the Splunk instance and put it the configuration file of the client.

Also, the client (where the alert events will be coming from) and the server (Splunk) is on the same linux virtual machine.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 11:24 PM

Check for errors on both sides of the connection. If this was indeed a message from the server, which would mean that the client interrupted the connection, it would typically mean SSL misconfiguration.

In such a case the client would attempt to connect to the server, the server would accept the TCP connection, at least one party would start the TLS handshake but - especially if the TLS was enabled on the client and disabled on the server - if the client couldn't agree with the server on TLS parameters, it would drop the connection.

So make sure that TLS parameters are the same on both sides.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...