All Apps and Add-ons

How to uninstall Independent Stream Forwarder?

ZacEsa
Communicator

I did quite a dumb thing, I installed the Independent Stream Forwarder onto my Universal Forwarder, I didn't know that the Universal Forwarder can become a Stream Forwarder without installing the Independent Stream Forwarder.

Now, my Stream Forwarder isn't working. Is there any way to uninstall the Independent Stream Forwarder?

If anyone wants to try assist me to solve the Stream Forwarder not working, please see error message below.

2016-12-13 08:36:41 INFO  [140079871240000] (SnifferReactor/SnifferReactor.cpp:154) stream.SnifferReactor - Starting network capture: sniffer
2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message: 
2016-12-13 08:36:41 FATAL [140079871240000] (CaptureServer.cpp:1893) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1084) stream.main - streamfwd has started successfully (version 7.0.0 build 128)
2016-12-13 08:36:41 INFO  [140079871240000] (main.cpp:1086) stream.main - web interface listening on port 8889

Unfortunately, there's no error message. So I can't really tell what's wrong so, I'm assuming it's because I installed the Independent Stream Forwarder.

0 Karma
1 Solution

vshcherbakov_sp
Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

View solution in original post

vshcherbakov_sp
Splunk Employee
Splunk Employee

@ZacEsa,
To uninstall independent Stream Forwarder, you can do something like the following as root (you may need to change the chkconfig command to what your distro is using for init.d daemons management):

service streamfwd stop
chkconfig --del streamfwd
rm -rf /opt/streamfwd/
rm -rf /etc/init.d/streamfwd 

That said, you should be able to run both independent Stream Forwarder and Stream Forwarder TA under Universal forwarder on the same machine in parallel, so I'm not sure the error message you're seeing is due to the co-existance of these packages. Have you run the ./set_permissions.sh script on the Stream Forwarder TA?

ZacEsa
Communicator

I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.

Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.

I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.

0 Karma

ZacEsa
Communicator

And as you can see from 2016-12-13 08:36:41 ERROR [140079871240000] (SnifferReactor/PcapNetworkCapture.cpp:231) stream.SnifferReactor - SnifferReactor failed to open pcap adapter for device <ens160>. Error message:, it's not really showing any error message. It's just showing it failed to open pcap adapter. The universal forwarder is on a VM with VMXNET3 adapter, connected to a tap so, there is no IP address.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

The error message is blanc probably because libpcap didn't return an error message, just the error code (although a bug cannot be excluded).

Is (was) the independent Stream Forwarder or tcpdump tool able to capture from this adapter? By default VMWare doesn't allow a VNIC to be put in promiscuous mode (you need to explicitly enable that), so you may want to check that if you're not able to capture with either stream or tcpdump/wireshark.

0 Karma

ZacEsa
Communicator

The Independent Stream Forwarder was never able to capture. When I use tcpdump, I'm able to see the packets coming in. I have two interfaces on this VM and the Sniffer Reactor isn't able to open pcap adapter for both interfaces. And yes, it's in promiscuous mode already.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

what does the following command return:

tcpdump -i ens160 -L

0 Karma

ZacEsa
Communicator
Data link types for ens160 (use option -y to set):
  DOCSIS (DOCSIS) (printing not supported)
  EN10MB (Ethernet)
0 Karma

ZacEsa
Communicator

Dashboard

From the Splunk Stream Interface.

0 Karma

ZacEsa
Communicator

Yes, I've run ./set_permissions.sh on both the /opt/streamfwd/ and $SPLUNK_HOME/etc/apps/Splunk_TA_Stream/

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...