Solved: Re: Why do I get missing forwarders?

las · ‎09-07-2012

I have configured the Universal forwarder to monitor a folder, but when I look at the Splunkd.log on the forwarder I see the following:
09-07-2012 09:47:57.809 +0200 WARN TcpOutputProc - Cooked connection to ip=99.999.9.999:9997 timed out
09-07-2012 09:48:08.822 +0200 WARN TcpOutputFd - Connect to 99.999.9.999:9997 failed. No connection could be made because the target machine actively refused it.
09-07-2012 09:48:08.822 +0200 ERROR TcpOutputFd - Connection to host=99.999.9.999:9997 failed
09-07-2012 09:48:08.822 +0200 WARN TcpOutputProc - Applying quarantine to idx=99.999.9.999:9997 numberOfFailures=2

There are no log entries in the Splunkd.log on the indexer.
The universal forwarder is listed as missing in the Deployment App

The indexer is configured to listen for all servers on 9997, and I have seen data received on this port at an earlier time.

There are about 450 universel forwarders configured.

Kind regards.

las · ‎09-14-2012

It wasn't a DoS attack, and windows didn't tag it that way.
There is a stanza connection_host = none in inputs.conf that solved the problem.

View solution in original post

las · ‎09-14-2012

It wasn't a DoS attack, and windows didn't tag it that way.
There is a stanza connection_host = none in inputs.conf that solved the problem.

MuS · ‎09-14-2012

okay, good to know you solved your problem by setting the attribute connection_host = none

MuS · ‎09-07-2012

Hi las

my first guess was: 'about 450 universal forwarders configured'

... imagine they connect all at the same time to the indexer, your indexer could see this as a DoS attack.

Check your indexer and Server OS if there is some DoS detection happening.

/update:

I'm by far no TCP expert, but when you get 'a lot' of CLOSE_WAIT & FIN_WAIT_2 there is something not as it should. short example:

.1 The client sends a SYN to the server.
.2 The server responds with a SYN and ACK to the client.
.3 The client responds with an ACK to the server.

Connection is established and data is transfered (the steps are known as a 3 way handshake).
When the server is closing the connection, the following sequence takes place:

.4 The server sends a FIN and an ACK to the client.
.5 The client sends an ACK to the server.
.6 The client sends its own FIN and ACK to the server
.7 The server sends and ACK to the client.

The short version is that this state exists when the first FIN_ACK and ACK have been sent (steps 4 & 5) but the second FIN_ACK and ACK (steps 6 & 7) has not.
On the side that closed the connection you will have FIN_WAIT_2, on the side that is to send the final FIN_ACK and ACK you will have CLOSE_WAIT.

this could also be caused by a firewall somewhere in the network.
cheers,

MuS

MuS · ‎09-07-2012

see update....

las · ‎09-07-2012

I do have a lot of CLOSE_WAIT on the indexer, when I do a netstat, I have have seen FIN_WAIT_2 on the universal forwarder.
Does that support your theory?

Why do I get missing forwarders?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...