Hello,
We're using Splunk 6.2.3. When adding the first universal forwarder on Windows Server 2008 R2, we got this error in splunkd.log:
Indexer:
10-30-2015 11:41:58.910 +0800 ERROR TcpInputProc - Error encountered for connection from src=192.168.10.3:50616. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Forwarder:
10-30-2015 11:41.58:661 +0800 INFO TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
...
10-30-2015 11:43:30.323 +0800 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::bind: Failed to get domain controller name with DsGetDcName: (1355)
10-30-2015 11:43:30.323 +0800 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (1355)
10-30-2015 11:43:30.323 +0800 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=2 msec
10-30-2015 11:43:53.557 +0800 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
10-30-2015 11:44:23.560 +0800 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
10-30-2015 11:44:53.399 +0800 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
10-30-2015 11:45:23.404 +0800 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
We have outputs.conf defined as following, using default server cert:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 192.168.10.112:9997
sslVerifyServerCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
---------------------------------
Would like to know:
- if there is any syntax error in our outputs.conf so that SSL is not configured? Also tried with back-slash in the path but also failed with same error.
- the server hasn't joined any DC. Can we disable the bind operation and thus avoid the DC related error shown above?
- which 'software' caused the error "An established connection was aborted by the software in your host machine."? We don't find much info in Windows event log.
Would anyone please help?
Thanks and regards
↧