- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the Independent Stream Forwarder.
Now, my Stream Forwarder isn't working. Is there any way to uninstall the Independent Stream Forwarder?
If anyone wants to try assist me to solve the Stream Forwarder not working, please see error message below.
2016-12-13 08:36:41 INFO [140079871240000] (SnifferReactor/SnifferReactor.cpp:154) stream.SnifferReactor - Starting network capture: sniffer
2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:
2016-12-13 08:36:41 FATAL [140079871240000] (CaptureServer.cpp:1893) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer
2016-12-13 08:36:41 INFO [140079871240000] (main.cpp:1084) stream.main - streamfwd has started successfully (version 7.0.0 build 128)
2016-12-13 08:36:41 INFO [140079871240000] (main.cpp:1086) stream.main - web interface listening on port 8889
Unfortunately, there's no error message. So I can't really tell what's wrong so, I'm assuming it's because I installed the Independent Stream Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):
service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd
That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):
service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd
That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.
Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.
I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And as you can see from 2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:, it's not really showing any error message. It's just showing it failed to open pcap adapter. The universal forwarder is on a VM with VMXNET3 adapter, connected to a tap so, there is no IP address.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error message is blanc probably because libpcap didn't return an error message, just the error code (although a bug cannot be excluded).
Is (was) the independent Stream Forwarder or tcpdump tool able to capture from this adapter? By default VMWare doesn't allow a VNIC to be put in promiscuous mode (you need to explicitly enable that), so you may want to check that if you're not able to capture with either stream or tcpdump/wireshark.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Independent Stream Forwarder was never able to capture. When I use tcpdump, I'm able to see the packets coming in. I have two interfaces on this VM and the Sniffer Reactor isn't able to open pcap adapter for both interfaces. And yes, it's in promiscuous mode already.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what does the following command return:
tcpdump -i ens160 -L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data link types for ens160 (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Splunk Stream Interface.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've run ./set_permissions.sh on both the /opt/streamfwd/ and $SPLUNK_HOME/etc/apps/Splunk_TA_Stream/
