All Apps and Add-ons

How to uninstall Independent Stream Forwarder?

ZacEsa
Communicator

I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the Independent Stream Forwarder.

Now, my Stream Forwarder isn't working. Is there any way to uninstall the Independent Stream Forwarder?

If anyone wants to try assist me to solve the Stream Forwarder not working, please see error message below.

2016-12-13 08:36:41 INFO  [140079871240000] (SnifferReactor/SnifferReactor.cpp:154) stream.SnifferReactor - Starting network capture: sniffer
2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message: 
2016-12-13 08:36:41 FATAL [140079871240000] (CaptureServer.cpp:1893) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1084) stream.main - streamfwd has started successfully (version 7.0.0 build 128)
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1086) stream.main - web interface listening on port 8889

Unfortunately, there's no error message. So I can't really tell what's wrong so, I'm assuming it's because I installed the Independent Stream Forwarder.

0 Karma
1 Solution

vshcherbakov_sp
Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

View solution in original post

vshcherbakov_sp
Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

View solution in original post

ZacEsa
Communicator

I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.

Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.

I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.

0 Karma

ZacEsa
Communicator

And as you can see from 2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:, it's not really showing any error message. It's just showing it failed to open pcap adapter. The universal forwarder is on a VM with VMXNET3 adapter, connected to a tap so, there is no IP address.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

The error message is blanc probably because libpcap didn't return an error message, just the error code (although a bug cannot be excluded).

Is (was) the independent Stream Forwarder or tcpdump tool able to capture from this adapter? By default VMWare doesn't allow a VNIC to be put in promiscuous mode (you need to explicitly enable that), so you may want to check that if you're not able to capture with either stream or tcpdump/wireshark.

0 Karma

ZacEsa
Communicator

The Independent Stream Forwarder was never able to capture. When I use tcpdump, I'm able to see the packets coming in. I have two interfaces on this VM and the Sniffer Reactor isn't able to open pcap adapter for both interfaces. And yes, it's in promiscuous mode already.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

what does the following command return:

tcpdump -i ens160 -L

0 Karma

ZacEsa
Communicator
Data link types for ens160 (use option -y to set):
  DOCSIS (DOCSIS) (printing not supported)
  EN10MB (Ethernet)
0 Karma

ZacEsa
Communicator

Dashboard

From the Splunk Stream Interface.

0 Karma

ZacEsa
Communicator

Yes, I've run ./set_permissions.sh on both the /opt/streamfwd/ and $SPLUNK_HOME/etc/apps/Splunk_TA_Stream/

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!