SYN_RECV network message in intermediate forwarder

wvalente · ‎07-19-2017

Hi,

I'v configured a intermediate forwarder and enable the 9997 port to listen the other assets.

Testing the connection with netstat command, I receive the following message with SYN_RECV:

tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 XX.XX.XX.40:9997 XX.XX.XX.105:32824 SYN_RECV
tcp 0 0 XX.XX.XX.40:9997 XX.XX.XX.105:32818 SYN_RECV
tcp 0 0 XX.XX.XX.40:9997 XX.XX.XX.105:32820 SYN_RECV
tcp 0 0 XX.XX.XX.40:9997 XX.XX.XX.105:32822 SYN_RECV
tcp 0 0 XX.XX.XX.40:52898 XXX.XXX.X.70:9997 TIME_WAIT
tcp 0 0 XX.XX.XX.40:44170 XXX.XXX.X.70:9997 ESTABLISHED
tcp 0 0 XX.XX.XX.40:52894 XXX.XXX.X.70:9997 TIME_WAIT

The connection is not established.

Any tip that I could do?

Tks

woodcock · ‎07-19-2017

You are doing it wrong; use syslog-ng on a UF (not HF), write to disk and use monitor:

http://www.georgestarcher.com/splunk-success-with-syslog/

SYN_RECV network message in intermediate forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life