Splunk Http Event Collector Socket Error

mcirrici · ‎12-09-2019

I've been trying for a few days now to setup a HEC on a Splunk Heavy Forwarder and having issues with the splunkd process binding to the default tcp/8088 port.

I can see this error within the splunkd.log

FATAL HTTPServer - Could not bind to port 8088

However, I can verify that my localhost is listening on the port

netstat -tulpn | grep 8088
tcp      129      0 0.0.0.0:8088            0.0.0.0:*               LISTEN      13924/splunkd

Also you can notice the queue filling up on that port

I've configured the Splunk HEC global settings on the Splunk Web UI already and enabled the http input in the inputs.conf file already.
I've configured to accept connections over SSL and enabled those settings also within the inputs.conf file as well

[http]
enableSSL = 1
#requireClientCert = false
#privKeyPath = /opt/splunk/etc/auth/splunk-certs/splunkforwarder.key
serverCert = /opt/splunk/etc/auth/splunk-certs/splunkforwarder.pem
#rootCA = /opt/splunk/etc/auth/splunk-certs/ca-chain.pem

Any help would be greatly appreciated!

mcirrici · ‎12-10-2019

I'm like 90% sure it has to do with a SSL issue, I just can't seem to pinpoint where to look.

Splunk Http Event Collector Socket Error

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?