Getting Data In

Handshake and socket error

drberg
Explorer

OS for forwarder: Windows Server 2012
Splunk + Universal Forwarder version: 6

I'm trying to get my Universal Forwarder to contact the deployment server. The only "change" I have done during the installation is setting the deployment server in the msiexec.exe.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf:

[target-broker:deploymentServer]
targetUri = server:port

C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log:

10-24-2013 15:46:00.722 +0200 INFO HttpPubSubConnection - Secure HTTP POST failed: Connect to=server:port timed out; exceeded 5sec
10-24-2013 15:46:00.722 +0200 INFO HttpPubSubConnection - Could not obtain connection, will retry after=56 seconds.
10-24-2013 15:46:08.584 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:20.597 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:32.609 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:44.621 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:56.634 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

Log from the Splunk server

10-24-2013 12:33:42.634 +0200 WARN HttpListener - Socket error from X.X.X.X while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

Just for clearity: I can not see my client trying to phone home in under Forwarder management.

Have I left out something important in my forwarder configuration? Some suggestions on what I'm doing wrong?

0 Karma
1 Solution

drberg
Explorer

Well this is embarassing. Turns out I had the wrong url to the deployment server. It's all good now.

View solution in original post

drberg
Explorer

Maybe it's a firewall in the route to the deployment server?

0 Karma

rameshlpatel
Communicator

Same issue i am facing , and i also checked all urls.

Please help me on this

0 Karma

drberg
Explorer

Well this is embarassing. Turns out I had the wrong url to the deployment server. It's all good now.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...