topic Re: Splunk Stream Start Error on Ubuntu 18.04 in All Apps and Add-ons

Splunk Stream Start Error on Ubuntu 18.04

banaie — Fri, 10 Jul 2020 17:07:07 GMT

Hi all

I face a special problem on starting stream forwarder as a service on Ubuntu 18.04 (as dedicated mode) and it can not start unless I use this command:

/opt/streamfwd/bin/streamfwd -D

Using other start methods, I receive this error on streamfwd.log:

2020-07-10 20:02:11 INFO [140564408074944] (CaptureServer.cpp:452) stream.CaptureServer - Launch child process for dedicated capture mode
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:490) stream.CaptureServer - Launch child process for restoring interfaces
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:816) stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:822) stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
2020-07-10 20:02:11 ERROR [139766768343360] (SnifferReactor/DpdkNetworkCapture.cpp:1308) stream.NetworkCapture - Error: basic_string::_S_construct null not valid
2020-07-10 20:02:11 FATAL [139766768343360] (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to initialize
2020-07-10 20:02:11 INFO [140041836300608] (CaptureServer.cpp:622) stream.CaptureServer - kernel interfaces restored

Have you any idea for resolving this problem?

TNX

Re: Splunk Stream Start Error on Ubuntu 18.04

jraso — Sun, 13 Sep 2020 08:41:23 GMT

Hi Banaie,

I had similar behaviour last month, but on CentOS 7. Try to use a template or create your own.

Now I'm using my own template and works pretty stable.

If you have many filters or aggregations, some problems could occur.

Also you need some tunning in streamfwd.conf, that's mine as example:

[streamfwd]
port = 8889
ipAddr = 127.0.0.1
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:00:13.0
#streamfwdcapture.0.filter =
uioDriverModuleName=uio_pci_generic
#usePacketMemoryPool = true
#streamfwdcapture.0.interface = eth1
streamfwdcapture.0.offline = false
configTemplateName = splunk
pcapBufferSize = 40000000000
maxTcpSessionCount = 1000000
maxTcpReassemblyPacketCount = 2000000
maxEventQueueSize = 100000000
maxPacketQueueSize = 16777216
maxEventAttributes = 2000
tcpConnectionTimeout = 10
processingThreads = 24
httpEventCollectorToken = 743e2231-8.......
indexer.0.uri = http://yourindexer:8088

Hope it helps!

Re: Splunk Stream Start Error on Ubuntu 18.04

banaie — Tue, 15 Sep 2020 13:58:24 GMT

@jraso

TNX. But, it didn't work! Is there anything different about configTemplateName (splunk) from default?

Re: Splunk Stream Start Error on Ubuntu 18.04

jraso — Tue, 15 Sep 2020 14:27:37 GMT

Hi banaie,

There is no template called Splunk. If you search on /opt/streamfwd/configs, you will only find two templates, one for ES, and another for ITSI.

You have to create another directory under /optstreamfwd/configs (I called it Splunk) and select and modify for your needs the xml files you will find on these templates. I started modifying those xml under the Default directory of Stream App located at the indexer, wich seam to have the same format.

If it doesn't work, check the log file located at /opt/streamfwd/var/log and post some errors here.

Re: Splunk Stream Start Error on Ubuntu 18.04

jraso — Tue, 15 Sep 2020 15:11:28 GMT

I've just remembered another little problem, perhaps is your case:

You have to modify the start Script of Streamfwd
- This is the path: /etc/init.d/streamfwd
- You have to add these lines to the script, as the error is related to a non existing directory /var/run/streamfwd
  - if [ ! -d /var/run/streamfwd ]; then
  - mkdir /var/run/streamfwd/
  - fi
Check if it's your case too and please comment.

Re: Splunk Stream Start Error on Ubuntu 18.04

banaie — Tue, 29 Sep 2020 12:42:12 GMT

TNX for all suggestions!

I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version!

Thanks again

Re: Splunk Stream Start Error on Ubuntu 18.04

jraso — Tue, 29 Sep 2020 13:12:42 GMT

Good to know, thanks!