topic Re: How to resolve messages about 'File Integrity checks' for Splunk files in Monitoring Splunk

How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Sat, 24 Sep 2016 15:03:57 GMT

Getting this message "File Integrity checks found files that did not match the system-provided manifest. See splunkd.log for details."

Anyone seen this before? Any idea what it's about?

Seeing this in the splunkd.log:

09-24-2016 11:12:26.554 -0400 WARN  InstalledFilesHashChecker - An installed file="/opt/splunk/etc/log.cfg" did not pass hash-checking due to reason="content mismatch"

I'm using log-local.cfg so I'm wondering what I messed up here.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

lukejadamec — Mon, 26 Sep 2016 10:28:50 GMT

What version of Splunk are you using?
You can read about file system monitoring here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Monitorchangestoyourfilesystem

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Mon, 26 Sep 2016 13:32:52 GMT

This actually isn't the FIM feature. Looks like something else but I'm checking if it's just a bug.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

rsennett_splunk — Mon, 26 Sep 2016 13:58:02 GMT

is there a search head cluster involved?

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Tue, 04 Oct 2016 12:18:08 GMT

SHC is being used and it appears this is only happening there now. Checking if the config over there is good. Running on 6.5.0.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

mbschriek — Tue, 11 Oct 2016 07:53:19 GMT

Is there already a solution to this error? I'm getting the same messages and the splunkd.log is not informative.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sanderdenheijer — Thu, 13 Oct 2016 14:57:35 GMT

Using Splunk 6.5 (clustered environment) here and also getting the messages.

At https://[your_splunk]:8089/services/server/status//installed-file-integrity you can find an overview of the files that did not match the system-provided manifest.

Looks like default files that were changed.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Fri, 14 Oct 2016 22:22:35 GMT

Great catch! Root cause was some stuff I was screwing around with in regards to the introspection_generator_addon and user-prefs which were blowing away the default config. So, this is all my fault but thanks for catching the endpoint which exposed the root cause!

Re: How to resolve messages about 'File Integrity checks' for Splunk files

machiel — Mon, 17 Oct 2016 15:55:26 GMT

Your info helped me out too 🙂

Re: How to resolve messages about 'File Integrity checks' for Splunk files

fab73 — Fri, 25 Nov 2016 09:28:06 GMT

Me too! I (changed the metadata file to promote/share view but it was no more usefull anyway). Thanx.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

Michael — Wed, 30 Nov 2016 16:32:46 GMT

getting this too... I'm trying to clear any non-INFO issues logged in splunkd.log. Also trying to document things in my deployment by adding to README files (and commenting in other conf files) -- which of course changes the hash and triggers this WARNing. Most annoying...

Wish there was a way to update the hashes for the "InstalledFilesHashChecker" hash table...

6.5, cluster, deployment server, etc...

BTW, Luke, the link you provided is for file monitoring, this is not that. This is a hash check at startup to compare existing files to a manifest of ones originally installed.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Wed, 30 Nov 2016 19:14:24 GMT

That's a great example. I think in mine, it's just the meta files. Both shouldn't be so dramatic IMO. If you open a case on this, ask support to link to SPL-133233.

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Tue, 31 Jan 2017 14:15:52 GMT

A peer of mine, Justin, showed me that limits.conf has a setting, installed_files_integrity, that controls if the integrity items are exposed to the UI, splunkd.log, or not at all. I consider this a win!

Re: How to resolve messages about 'File Integrity checks' for Splunk files

borkborkbork — Wed, 22 Feb 2017 00:56:59 GMT

I get following the above url "404: Page not found". I don't have any "installed-file-integrity" page

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Mon, 27 Feb 2017 19:56:09 GMT

Sounds like you might have gone to the wrong URI or port. Wanna past the URL here?

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Wed, 22 Mar 2017 20:43:22 GMT

I don't think we posted this on here yet, but here's some background: http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles

Re: How to resolve messages about 'File Integrity checks' for Splunk files

vskoryk_splunk — Tue, 28 Mar 2017 19:52:08 GMT

./splunk validate files

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Fri, 31 Mar 2017 12:17:43 GMT

Yes! In fact, we just had the docs team include this banner message's text in our docs. So hopefully anyone else running into this will more easily find the docs in an internet search:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles#Interpret_results_of_an_integrity_check

Re: How to resolve messages about 'File Integrity checks' for Splunk files

adepasquale — Mon, 08 May 2017 14:57:24 GMT

I received this error after following another thread that stated you uninstall apps by disabling them, removing the folders from ./etc/apps and then restarting. Any idea how to fix this?

Re: How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch — Tue, 09 May 2017 13:10:49 GMT

@adepasquale - The message means that files that come with Splunk (listed in the manifest file) were changed after install. This might mean you removed a required app like the launcher or search app. Tread carefully there and make you everything in a base install exists. Alternatively, use the answers listed in this post to hide the messages and/or learn how to learn what files were changed.