topic Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger in Deployment Architecture

Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Mon, 03 Jan 2022 15:11:59 GMT

Greetings,

Where can I disable the default Bucket Copy Trigger search to prevent jar files from returning in Splunk? Also, which splunk instance does this search need to be disabled? Please see below:

"Jar files matching the same filename of the files found in the directories above, but found in other directories on your Splunk instances are likely from normal Splunk operation (e.g. search head bundle replication) and can be safely deleted. If any jar files return in the splunk_archiver app, disabling the default Bucket Copy Trigger search in that app will stop this behavior from happening. "

My Splunk architecture (airgapped) includes the following:

1 Search Head

1 Heavy Forward

1 Deployment Server

1 Cluster Master/License Master (operating as the same instance)

7 Indexers (all clustered)

Within my distributed environment, just want to know where to disable this search to prevent this from happening again.

Thank you.

-KB

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

gjanders — Tue, 04 Jan 2022 07:24:01 GMT

The search will definitely run on the search head so disable it there.
You can see the search in the audit index and additionally in the remote_ searches log on the indexers.

I don't believe the cluster master or indexers trigger this but it is safe to disable it. It related to hadoop data roll functionality

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Tue, 04 Jan 2022 13:00:18 GMT

Hi gjanders,

Thank you for your reply and the information you provided. How do I disable this functionality/search in the Search Head? Specifically, is there a conf.file to disable or is there another way to disable the search?

Thank you.

-KB

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

gjanders — Tue, 04 Jan 2022 22:10:57 GMT

I don't have access to a Linux Splunk instance to test right now, but it should either be a "archive buckets" or "archive buckets trigger" saved search.

You can disable it via the Settings -> saved searches, or by creating a savedsearches.conf with the stanza and setting disabled=1

Or you could disable the entire app, I would disable the app personally...

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

gjanders — Tue, 04 Jan 2022 22:13:23 GMT

With that said the | archivebuckets command might still work with the savedsearch disabled, it should fail once the app is disabled...

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

rashiagrawal — Mon, 07 Feb 2022 17:17:28 GMT

@KayBeesKnees83 - please let me know how did you finally disabled the "Bucket trigger" in savedsearch.

Which savedsearch.conf file was used .

I am suffering from the issue and looking for the correct way to disable this setting .

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Mon, 07 Feb 2022 17:21:08 GMT

I upgraded to Splunk v8.2.4 and deleted all the files as listed in the "Log4j report" from Splunk. However, if the aforementioned do not resolve your issue. You can disable the app completely. Search for the app "Bucket Copy" and just disable the app.

I hope this helps.

-KB

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

rashiagrawal — Mon, 07 Feb 2022 17:27:26 GMT

Is there app named "Bucket copy" or "splunk_archiver".

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Mon, 07 Feb 2022 17:53:50 GMT

It is the "splunk_archiver" -- the Bucket Copy Trigger search is located within that app.

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

rashiagrawal — Mon, 07 Feb 2022 17:55:05 GMT

Thank you. I have found the app on search head and disabled it.

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

diptij — Thu, 03 Mar 2022 18:49:27 GMT

Isn't the bucket copy functionality necessary in Splunk?

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Thu, 03 Mar 2022 18:55:34 GMT

No, it is not a necessary functionality in Splunk.

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

diptij — Thu, 03 Mar 2022 19:28:12 GMT

So [Bucket Copy Trigger] actually calls archivebuckets, which calls copybuckets. The archiving was leading me to question if the functionality is necessary because buckets do get moved from hot, warm, cold, archive.

In any splunk install (head or indexer) I just need to do the following:

1. copy $SPLUNK_HOME/etc/apps/splunk_archiver/default/savedsearches.conf to $SPLUNK_HOME/etc/aps/splunk_archiver/local/savedsearches.conf

2. Update local/savedsearches.conf so under [Bucket Copy Trigger]

change enableSched = 1 to enableSched = 0

Anything else?

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83 — Thu, 03 Mar 2022 19:31:17 GMT

Looks good. I would also restart splunkd for good measure.

Re: Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

diptij — Thu, 03 Mar 2022 22:31:01 GMT

It ends up that in the local/savedsearches.conf you have to also add disabled=1 also