Hi all
I have a functional heavy forwarder on a systems, now i want a second heavy forwarder on the same system. I'd like to test some limiting features in the actual data stream. I cannot move it to another place, since i need some data throughput, which i don't have in any other non productive environment. And before i setup a new system, i like to take and utilize some installed hardware.
The setup of the second heavyforwarder worked well, including the binding of the second inputport as well the other second ports.
The port is open but the Universal Forwarder isn't able to open a stable connection to the second heavy forwarder.
This is the `outputs.conf`
splunk@mysystem:default $ cat outputs.conf
[tcpout]
# do not index locally
indexAndForward = false
# forward all loca indexes
forwardedindex.filter.disable = true
useACK = true
defaultGroup = splunk
[tcpout:splunk]
server = splunk-indexer01:9997
[tcpout:splunk-hfw]
server = splunk-hfw:9997
[tcpout:splunk-sink]
server = splunk-hfw:9996
The connection tests worked as well.
splunk@mysystem:default $ telnet splunk-hfw 9996
Trying ...
Connected to splunk-hfw.
Escape character is '^]'.
^C
splunk@mysystem:default $
In the `spunkd.log` on either system i don't see anything which hitting me to the problem i have here...
On the UFW i'm getting time-outs
02-19-2018 13:42:00.425 +0100 WARN TcpOutputProc - Cooked connection to ip=:9996 timed out
02-19-2018 13:42:00.425 +0100 WARN TcpOutputProc - Cooked connection to ip=:9996 timed out
On the HFW i'm getting broken links, but i don't know why.
02-19-2018 13:42:16.849 +0100 ERROR TcpInputProc - Error encountered for connection from src=:51891. Broken pipe
Traffic on the normal `:9997` Port works without any issue
Anyone has any hint for the problem?
↧