6 comments

  • Avatar
    Dominik Britz Official comment

    The settings were all correct and the problem has been solved

  • 0
    Avatar
    Dominik Britz

    Hi Eduardo,

    The Splunk Cloud trial uses a self-signed certificate that is not trusted by Windows, and therefore it is not trusted by uberAgent as well. For a POC, add the config flags TLSVerifyHostDisabled and TLSVerifyPeerDisabled to the [Miscellaneous] section in the uberAgent.conf. For production, use a valid certificate in Splunk Cloud or add the self-signed certificate to all endpoints.

    [Miscellaneous]
    DebugMode = true
    ConfigFlags = TLSVerifyHostDisabled,TLSVerifyPeerDisabled

     

    Please let us know if this works. If not, we can create a support ticket where you can share log files with us.

     

    Best regards

    Dominik

     

  • 0
    Avatar
    Eduardo Silveira

    Hi Dominik, 

    using your support I managed to eliminate the error, but now I am facing this next error.

    2024-06-20 09:39:16.726 -0300,WARN ,WORKGROUP,DESKTOP-EDDU$,24536,CurlSend,Timeout occurred while sending to host: https://prd-xxx.splunkcloud.com:8088. Configured timeout in ms: 10000. Please check the configuration option MaxEventsPerSendOperation in the recevier stanza. Message size in bytes: 10960. Full URL: https://prd-xxx.splunkcloud.com:8088/services/collector

  • 0
    Avatar
    Dominik Britz

    uberAgent can't reach your Splunk Cloud instance. Maybe firewall ports are not open? 

    Can you connect via Telnet or similar as the user SYSTEM to Splunk Cloud? uberAgent is running as SYSTEM and sometimes firewall rules are tied to machines and users.

     

    Best regards

    Dominik

     

  • 0
    Avatar
    Eduardo Silveira

    I don't have a firewall on this network.

    Now it gives me two different errors and the other one no longer appears.

    1 - 

    2024-06-20 11:43:58.366 -0300,ERROR,WORKGROUP,DESKTOP-EDDU$,24536,SendSingleElement,Sending to https://prd-xxx.splunkcloud.com:8088/services/collector failed with (code: 400): {"text":"Data channel is missing","code":10}

    2 - 

    2024-06-20 11:43:36.304 -0300,INFO ,WORKGROUP,DESKTOP-EDDU$,16756,ReceiverStatistics,Splunk; https://prd-xxxx.splunkcloud.com:8088 - Name: Default (POQ) - Bulk events in queue: <3>, queue size: <108.9> KB, bulk events sent: <0>, bulk events sent overall: <19016>, bulk events added to queue: <102>, bulk events added to queue overall: <2659>, rejected from queue: <0>, generated events: <3961>, total generated events: <103724>

     

  • 0
    Avatar
    Dominik Britz

    We've created a ticket for you as we need log files that can contain sensitive information.

    Any findings will be posted here as well.

Please sign in to leave a comment.