MY UF WHERE I PUT THE ADD-ON FOR STREAM FORWARDER ...

adrojis · ‎01-24-2024

Hi to everyone,

For a project, I need to deploy a test environnement with splunk and I need to capture stream log in order to to analyze it. For this project I have deployed a Splunk enterprise (9.1.2) on an ubuntu 20.04 and on another VM (also ubuntu 20.04) I put my UF (9.1.2). In the UF I put the add-on Splunk Add-on for Stream Forwarders (8.1.1) to capture packet and on my splunk enterprise Splunk App for Stream (8.1.1). I follow all installations and configurations steps and debug some issues but I still have an error that I don't know how to fix it. In the streamfwd.log files I see this error :

2024-01-24 06:14:03 ERROR [140599052777408] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <ens33>: 253
2024-01-24 06:14:03 FATAL [140599052777408] (CaptureServer.cpp:2337) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer

ens33 is the right interface where I want to capture stream packet but I don't understand why it don't recognize it.

If you have any idea I will be very gratefull.

datadevops · ‎01-28-2024

Hi there,

Unfamiliar Link Layer:

It seems your network interface (ens33) uses a link layer type that Splunk's Stream Forwarder doesn't recognize (code 253).

Double-Check Interface:

Make sure you've configured the Stream Forwarder to capture on the correct interface (ens33). Check inputs.conf settings.

Kernel Module Issue:

In rare cases, outdated kernel modules for your network interface can cause this error. Update your kernel or manually install necessary modules.

Splunk Add-on Version:

Consider upgrading the Splunk Add-on for Stream Forwarders to a newer version that might have better compatibility with your link layer type.

Community Resources:

Search Splunk documentation and community forums for solutions related to "unrecognized link layer" errors in Stream Forwarders.

Remember:

Back up your configurations before making changes.
Test changes in a non-production environment.
Provide more details about your setup if the above suggestions don't help.

~ If the reply helps, a Karma upvote would be appreciated

adrojis · ‎01-28-2024

Hi,

First of all, thanks for helping me for this issue.

I tried all the things you say but I have the same error.

- The file input.conf on my UF don't permit to configure the interface (I verified the input.conf.spec file for verification).

- My kernel is updated so the problem It's not from It.

-And for the version, after verification, I have the last version of UF and Add-On available on Splunk base.

- For the Community Resources, I found one link that relate to this type of problem but there is no answer. I put the link here if you are interested :

https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-stream...

If you have more indications to fix my issue I will be very grateful to here it.

MY UF WHERE I PUT THE ADD-ON FOR STREAM FORWARDER IS UNABLE TO START PACKET CAPTURESNIFFER

configuration

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?