Related Answers
Download topic as PDF
Splunk server tokens
If a forwarder TCP token is corrupt or rejected, the indexer that receives the token generates error messages in its logs. If you do not locate the bad token, that forwarder tries to use it indefinitely.
To locate the bad forwarder token, increase the logging level of the indexer:
- Open a shell prompt.
- Using a text editor, edit
SPLUNK_HOME/etc/log.cfgas follows:category.TcpOutputProc=DEBUG category.TcpInputConfig=DEBUG category.TcpInputProc=DEBUG
- Save the file and close it.
- Restart the indexer.
When a token that a forwarder sends matches the token that the indexer receives, the following messages are generated:
Indexer:
09-15-2015 13:21:30.746 -0700 DEBUG TcpInputProc - Forwarder token matched
Universal Forwarder:
09-15-2015 13:24:00.343 -0700 DEBUG TcpOutputProc - Indexer can use tokens
When the tokens do not match, the indexer generates a message similar to the following:
09-15-2015 13:22:01.747 -0700 ERROR TcpInputProc - Exception: Token not sent by forwarder src=10.140.126.58:51838! for data received from src=10.140.126.58:51838 09-15-2015 13:52:14.803 -0700 ERROR TcpInputProc - Exception: Token sent by forwarder does not match configured tokens src=10.140.126.58:51990! for data received from src=10.140.126.58:51990
|
PREVIOUS Safeguards for risky commands |
NEXT Avoid malicious CSV files in searches |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0
Feedback submitted, thanks!