Splunk® Enterprise

Securing Splunk Enterprise

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.

Troubleshoot Splunk forwarder TCP tokens

You can control which forwarders in your Splunk Enterprise deployment have access to the indexers by setting up forwarder TCP tokens. In the case where a forwarder TCP token becomes corrupt, or the indexer to which the forwarder sends data rejects the token, that indexer generates an error message in its logs. A forwarder always tries to communicate with the indexer you have configured it to communicate with, regardless of whether or not the TCP token you have configured for it is valid.

To locate the bad forwarder token, increase the logging level of the indexer:

  1. Open a shell prompt.
  2. Using a text editor, edit SPLUNK_HOME/etc/log.cfg as follows: 
    category.TcpOutputProc=DEBUG
category.TcpInputConfig=DEBUG
category.TcpInputProc=DEBUG
  3. Save the file and close it.
  4. Restart the indexer.

When a token that a forwarder sends matches the token that the indexer receives, Splunk components generate the following messages:

Indexer: 

09-15-2015 13:21:30.746 -0700 DEBUG TcpInputProc -  Forwarder token matched

Universal Forwarder: 

09-15-2015 13:24:00.343 -0700 DEBUG TcpOutputProc - Indexer 
can use tokens

When the tokens do not match, the indexer generates a message similar to the following: 

09-15-2015 13:22:01.747 -0700 ERROR TcpInputProc - Exception:  Token not sent by 
forwarder src=10.140.126.58:51838! for data received from src=10.140.126.58:51838

09-15-2015 13:52:14.803 -0700 ERROR TcpInputProc - Exception:  Token sent by 
forwarder does not match configured tokens src=10.140.126.58:51990! 
for data received from src=10.140.126.58:51990
Last modified on 09 February, 2021
Safeguards for risky commands   Avoid unintentional execution of fields within CSV files in third party applications

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters