All Apps and Add-ons

Splunk Stream : Stream Forwarder Auth option in Distributed Forwarder Management

colineltringham
Explorer

Hi,

I've setup and installed Splunk Stream in a test environment consisting of 1 single deployment and 1 universal forwarder. Everything is working as expected, and i am able to receive data from both sources.

If i try to enable "Stream Forwarder Auth" and enter the Token for the HTTP Collector, soon as i hit apply or there about the stream forwarders fail and i see 401 errors in the webaccess.log, as well as

2017-05-04 19:37:46 ERROR 11552 stream.CaptureServer - Unable to ping server (9c32732f-aa86-4b9d-8735-55d71369e32c): /en-us/custom/splunk_app_stream/ping/ status=401

in the streamfwd.log files

Clearly i am missing a configuration step.

I've read about the streamfwd.conf file and in there is is an option:
httpEventCollectorToken I've set that to be the value of the Collector token manually also but that hasn't changed anything.

does anyone have any ideas what i could try?

Thanks

Colin

Tags (1)
0 Karma
1 Solution

colineltringham
Explorer

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

View solution in original post

0 Karma

colineltringham
Explorer

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hi Colin,

I believe the "invalid key in stanza " error caused by a bug (namely authToken being omitted in streamfwd.conf.spec). This parameter is applicable to both independent forwarder and TA, so as a workaround I'd suggest adding it to streamfwd.conf.spec manually (ie authToken = <value>)

0 Karma

colineltringham
Explorer

excellent - that did the trick. Adding the authToken key to the Spec file in the readme folder and adding to the streamfwd.conf with the same key as in the HTTPCollector and the Forwarder Auth and everything seems to be talking.

Just need to play around to find out exactly what is needed where exactly.

Thanks for the help

Colin

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hi @colineltringham,

I believe you need to set the authToken parameter in streamfwd.conf to match the Stream Auth Token set up on the SH.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...