All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MY UF WHERE I PUT THE ADD-ON FOR STREAM FORWARDER IS UNABLE TO START PACKET CAPTURESNIFFER

adrojis
Loves-to-Learn Lots
‎01-24-2024 07:13 AM

Hi to everyone, 

For a project, I need to deploy a test environnement with splunk and I need to capture stream log in order to to analyze it. For this project I have deployed a Splunk enterprise (9.1.2) on an ubuntu 20.04 and on another VM (also ubuntu 20.04) I put my UF (9.1.2). In the UF I put the add-on Splunk Add-on for Stream Forwarders (8.1.1) to capture packet and on my splunk enterprise Splunk App for Stream (8.1.1).  I follow all installations and configurations steps and debug some issues but I still have an error that I don't know how to fix it. In the streamfwd.log files I see this error : 

2024-01-24 06:14:03 ERROR [140599052777408] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <ens33>: 253
2024-01-24 06:14:03 FATAL [140599052777408] (CaptureServer.cpp:2337) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer

ens33 is the right interface where I want to capture stream packet but I don't understand why it don't recognize it.

If you have any idea I will be very gratefull.

 

Labels (1)
Labels
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:25 AM

Hi there,

Unfamiliar Link Layer:

  • It seems your network interface (ens33) uses a link layer type that Splunk's Stream Forwarder doesn't recognize (code 253).

Double-Check Interface:

  • Make sure you've configured the Stream Forwarder to capture on the correct interface (ens33). Check inputs.conf settings.

Kernel Module Issue:

  • In rare cases, outdated kernel modules for your network interface can cause this error. Update your kernel or manually install necessary modules.

Splunk Add-on Version:

  • Consider upgrading the Splunk Add-on for Stream Forwarders to a newer version that might have better compatibility with your link layer type.

Community Resources:

  • Search Splunk documentation and community forums for solutions related to "unrecognized link layer" errors in Stream Forwarders.

Remember:

  • Back up your configurations before making changes.
  • Test changes in a non-production environment.
  • Provide more details about your setup if the above suggestions don't help.

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply

adrojis
Loves-to-Learn Lots
‎01-28-2024 07:16 AM

Hi,

First of all, thanks for helping me for this issue.

I tried all the things you say but I have the same error. 

- The file input.conf on my UF don't permit to configure the interface (I verified the input.conf.spec file for verification).

- My kernel is updated so the problem It's not from It.

-And for the version, after verification, I have the last version of UF and Add-On available on Splunk base.

- For the  Community Resources, I found one link that relate to this type of problem but there is no answer. I put the link here if you are interested : 

https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-stream...

If you have more indications to fix my issue I will be very grateful to here it.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...