All Apps and Add-ons

How to uninstall Independent Stream Forwarder?

Communicator

I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the Independent Stream Forwarder.

Now, my Stream Forwarder isn't working. Is there any way to uninstall the Independent Stream Forwarder?

If anyone wants to try assist me to solve the Stream Forwarder not working, please see error message below.

2016-12-13 08:36:41 INFO  [140079871240000] (SnifferReactor/SnifferReactor.cpp:154) stream.SnifferReactor - Starting network capture: sniffer
2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message: 
2016-12-13 08:36:41 FATAL [140079871240000] (CaptureServer.cpp:1893) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1084) stream.main - streamfwd has started successfully (version 7.0.0 build 128)
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1086) stream.main - web interface listening on port 8889

Unfortunately, there's no error message. So I can't really tell what's wrong so, I'm assuming it's because I installed the Independent Stream Forwarder.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

View solution in original post

Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

View solution in original post

Communicator

I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.

Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.

I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.

0 Karma

Communicator

And as you can see from 2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:, it's not really showing any error message. It's just showing it failed to open pcap adapter. The universal forwarder is on a VM with VMXNET3 adapter, connected to a tap so, there is no IP address.

0 Karma

Splunk Employee
Splunk Employee

The error message is blanc probably because libpcap didn't return an error message, just the error code (although a bug cannot be excluded).

Is (was) the independent Stream Forwarder or tcpdump tool able to capture from this adapter? By default VMWare doesn't allow a VNIC to be put in promiscuous mode (you need to explicitly enable that), so you may want to check that if you're not able to capture with either stream or tcpdump/wireshark.

0 Karma

Communicator

The Independent Stream Forwarder was never able to capture. When I use tcpdump, I'm able to see the packets coming in. I have two interfaces on this VM and the Sniffer Reactor isn't able to open pcap adapter for both interfaces. And yes, it's in promiscuous mode already.

0 Karma

Splunk Employee
Splunk Employee

what does the following command return:

tcpdump -i ens160 -L

0 Karma

Communicator
Data link types for ens160 (use option -y to set):
  DOCSIS (DOCSIS) (printing not supported)
  EN10MB (Ethernet)
0 Karma

Communicator

Dashboard

From the Splunk Stream Interface.

0 Karma

Communicator

Yes, I've run ./set_permissions.sh on both the /opt/streamfwd/ and $SPLUNK_HOME/etc/apps/Splunk_TA_Stream/

0 Karma