topic Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service? in Getting Data In

After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

ashikuma — Mon, 24 Jun 2019 07:26:38 GMT

after upgrading forwarder to 7.2.6 it's not getting controlled by Splunk user(specifically aligned to Splunk only (non-root user)) while restarting service.

We upgrade Splunk UF to 7.2.6 from 6.x.x , everything is working as expected but while stop\start splunk service it's asking for authentication (mentioned below). And this message coming only once we enable boot start for Splunk user so that It can auto start after reboot. If we disable boot start then I am not getting these messages.

[user@servername ~]$ /usr/splunk/splunkforwarder/bin/splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Multiple identities can be used for authentication:

And you will get multiple user identities here after this above line, these are the user who's ID is synced with root user. And if I ask them to do they are able to restart Splunk but they have to choose their username and password , so to add splunk user here in identities list what we need to do. Is there a way to get rid of this.

Splunk UF version - 7.2.6
OS version - Red Hat Enterprise Linux Server release 7.6 (Maipo)

Do we need to tweak splunk configuration or make any entries in sudoer files on OS side.

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

DavidHourani — Mon, 24 Jun 2019 08:24:27 GMT

Hi @ashikuma,

Did you follow the steps mentioned here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/RunSplunkassystemdservice#Configure_systemd_using_enable_boot-start
How did you set this up exactly ?

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

harsmarvania57 — Mon, 24 Jun 2019 09:13:34 GMT

Hi,

This is due to systemd changes introduced by Splunk in 7.2.2, have a look at answers post https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html which explains this behavior and solution.

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

FrankVl — Mon, 24 Jun 2019 09:14:50 GMT

This is due to Splunk using systemd to manage the Splunk process by default in certain 7.2.x versions. If you want to get rid of this, you can enable boot start with the old method by adding -systemd-managed 0 https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice#Additional_options_for_enable_boot-start

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

harsmarvania57 — Mon, 24 Jun 2019 09:17:13 GMT

Update: Since 7.3 default is -systemd-managed 0 (Splunk reverted default configuration which they introduced in 7.2.2)

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

ashikuma — Mon, 24 Jun 2019 09:21:01 GMT

we enabled it using command : /usr/splunk/splunkforwarder/bin/splunk enable boot-start -user
and it's making entries under /etc/init.d/splunk in linux boxes, but when we upgraded it to 7.2.6 we lost control on stop\start service , so as per above document do we need to use systemd to control splunk.
My questions is same thing working in splunk UF version lowes version 6.x.x but not on 7.2.6.

I would say just try same to install in your test env. once for same scenario.

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

FrankVl — Mon, 24 Jun 2019 09:28:38 GMT

Oh, cool, didn't know that 🙂

Edited my answer to clarify systemd is only the default in certain 7.2.x versions.

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

gjanders — Mon, 24 Jun 2019 22:04:05 GMT

sudoers will not resolve this problem, refer to FrankVI's comments around the systemd usage in Splunk 7.2
If you choose to stay with systemd in the particular Splunk 7.2 version or above refer to:
https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html

That will provide a solution to remove the password prompt, if not feel free to use init.d if that is preferred!

Re: After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

bandit — Tue, 31 Dec 2019 18:43:23 GMT

Summary of the issue:
Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start
Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start
Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start

systemd defaults to prompting for root credentials upon stop/start/restart of Splunk

Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd.

Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as):

sudo /opt/splunk/bin/splunk disable boot-start
sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0

Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as):

sudo /opt/splunkforwarder/bin/splunk disable boot-start
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0