All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FTP Receiver app Troubleshooting

DEAD_BEEF
Builder
‎06-18-2019 01:40 PM

I'm trying to get logs from a remote system via SFTP. I read that the FTP Receiver app sets up a HF to act like a FTP server to retrieve files, monitor the log directory as an input, and send them to the indexers.

I deployed the app to my HF and created a separate account to login to the HF (credentials matching the account to retrieve the FTP logs) and with all the various permissions from the README, but I'm just getting errors saying that the service could not start.

alt text

The HF is running on RHEL 7.6 and the ftp service is enabled in firewalld. I tried telnet on 20 and 21 from another host in my environment to the HF and there was no route and then connection refused (respectively).

In the Data Input > FTP > Port I tried both 20 and 21 with no success.

Not sure what else I need to do to setup the app. @LukeMurphey

=================UPDATE=================
Changed port to 2022 and now no more errors. But not seeing any data either. What can I check next?
alt text

Preview file
10 KB
Preview file
38 KB
0 Karma
Reply

LukeMurphey
Champion
‎06-19-2019 11:54 AM

Linux/Unix does not allow non-root users to open a port less than 1024 by default. See https://www.geeksforgeeks.org/bind-port-number-less-1024-non-root-access/ for details on how to get around this issue.

0 Karma
Reply

DEAD_BEEF
Builder
‎06-19-2019 04:37 PM

The app requires that this be on port 20/21? I switched it to 2022 as you suggested but not seeing any messages in _internal anymore.

0 Karma
Reply

LukeMurphey
Champion
‎06-18-2019 01:49 PM

I'm wondering if the OS is disallowing the port to be opened because Splunk isn't running as root. You could test this by changing the port to something above 1024 (like 2022). Let me know if that works.

0 Karma
Reply

DEAD_BEEF
Builder
‎06-18-2019 08:08 PM

@LukeMurphey I updated the port to 2022 as you suggested and I'm not seeing the errors anymore. I ran the _internal search and there isn't anything new besides when it started the FTP server on the new port. I checked the index (main for now) and no data as of yet. What would you suggest I check next?

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...