search cancel

Splunk HEC Forwarder Connection Reset

book

Article ID: 174749

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

  • Splunk HEC forwarder in Symantec Integrated Cyber Defense Exchange (ICDx) no longer transmits data.
  • Forwarder logs show one or more connection resets.

2019-05-13 10:29:33,656 [Splunk] WARN com.symantec.http.support.HttpRequester - Send to Splunk 1, 100 event(s), 148715 bytes (uncompressed) attempt 1 - potentially recoverable exception (will retry in 954 ms): java.net.SocketException: Connection Reset

Cause

There may be a mismatch in SSL settings for the forwarder and/or Splunk collector.

Environment

  • ICDx
  • Splunk HEC Forwarder

Resolution

  • Verify if SSL is enabled for the Splunk HTTP Event Collector.
  • If SSL is enabled, note if the Splunk server uses the default SSL certificates. You may have replaced the default certificates with certificates that are trusted by a public certificate authority (CA). The default Splunk certificates are signed using a private CA and cannot be verified.
  • If SSL is not being used by the Event Collector, ensure the forwarder is also configured to not use SSL.
  • If SSL is being used the Event Collector, ensure the forwarder is also configured to use SSL and is configured with the correct SSL settings.