• Splunk HEC forwarder in Symantec Integrated Cyber Defense Exchange (ICDx) no longer transmits data.
• Forwarder logs show one or more connection resets.

2019-05-13 10:29:33,656 [Splunk] WARN com.symantec.http.support.HttpRequester - Send to Splunk 1, 100 event(s), 148715 bytes (uncompressed) attempt 1 - potentially recoverable exception (will retry in 954 ms): java.net.SocketException: Connection Reset

• ICDx
• Splunk HEC Forwarder

There may be a mismatch in SSL settings for the forwarder and/or Splunk collector.

• Verify if SSL is enabled for the Splunk HTTP Event Collector.
• If SSL is enabled, note if the Splunk server uses the default SSL certificates. You may have replaced the default certificates with certificates that are trusted by a public certificate authority (CA). The default Splunk certificates are signed using a private CA and cannot be verified.
• If SSL is not being used by the Event Collector, ensure the forwarder is also configured to not use SSL.
• If SSL is being used the Event Collector, ensure the forwarder is also configured to use SSL and is configured with the correct SSL settings.