search cancel

Integrated Cyber Defense Exchange (ICDx) Splunk forwarder module fails due to timeout errors

book

Article ID: 200330

calendar_today

Updated On:

Products

Integrated Cyber Defense Exchange ICDx

Issue/Introduction

When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

Similar to the following error is listed in the forwarder logs:

2020-09-17 15:42:28,023 [Splunk] WARN  com.symantec.http.support.HttpRequester - Send to Splunk 1, 100 event(s), 296830 bytes (uncompressed) attempt 1 - Connect to ###.###.###.###:8088 [/###.###.###.###] failed: Connection timed out (Connection timed out)

2020-09-17 15:42:28,026 [Splunk] WARN  com.symantec.splunk.SplunkHttpWriterModule - Socket problem. This forwarder is configured to use SSL, and there could be an SSL misconfiguration in Splunk.

Double-check settings:

    * Use SSL: true

    * Use SSL Verification: false

      (ignored because SSL Certificate Path is supplied)

    * SSL Certificate Path: /path/to/splunk_cert.pem

    * Use Hostname Verification: false

      (only applies when using SSL Certificate Path)

    * Host: ###.###.###.###

    * Port: 8088

    * Token: ****

    * Index not specified

    * Source Type not specified

    * Use Proxy: false

 

Cause

The issue is caused by a timeout when ICDx tries to connect to the Splunk server. In the example above, SSL(TLS) is in use, but the error could also happen without SSL(TLS). The issue could be caused by network problems or Splunk configuration problems.

Environment

Release : 1.4.1

Component : Splunk Forwarder

Resolution

To resolve this issue, investigate your communication path between ICDx and Splunk and verify that the configuration parameters are correct and that nothing on the network is interfering (such as network configurations, problems with hardware, firewall configurations, network routing, etc...).