All Apps and Add-ons

Splunk Stream : Stream Forwarder Auth option in Distributed Forwarder Management

Hi,

I've setup and installed Splunk Stream in a test environment consisting of 1 single deployment and 1 universal forwarder. Everything is working as expected, and i am able to receive data from both sources.

If i try to enable "Stream Forwarder Auth" and enter the Token for the HTTP Collector, soon as i hit apply or there about the stream forwarders fail and i see 401 errors in the webaccess.log, as well as

2017-05-04 19:37:46 ERROR 11552 stream.CaptureServer - Unable to ping server (9c32732f-aa86-4b9d-8735-55d71369e32c): /en-us/custom/splunk_app_stream/ping/ status=401

in the streamfwd.log files

Clearly i am missing a configuration step.

I've read about the streamfwd.conf file and in there is is an option:
httpEventCollectorToken I've set that to be the value of the Collector token manually also but that hasn't changed anything.

does anyone have any ideas what i could try?

Thanks

Colin

Tags (1)
0 Karma
1 Solution

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

View solution in original post

0 Karma

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi Colin,

I believe the "invalid key in stanza " error caused by a bug (namely authToken being omitted in streamfwd.conf.spec). This parameter is applicable to both independent forwarder and TA, so as a workaround I'd suggest adding it to streamfwd.conf.spec manually (ie authToken = <value>)

0 Karma

excellent - that did the trick. Adding the authToken key to the Spec file in the readme folder and adding to the streamfwd.conf with the same key as in the HTTPCollector and the Forwarder Auth and everything seems to be talking.

Just need to play around to find out exactly what is needed where exactly.

Thanks for the help

Colin

0 Karma

Splunk Employee
Splunk Employee

Hi @colineltringham,

I believe you need to set the authToken parameter in streamfwd.conf to match the Stream Auth Token set up on the SH.

0 Karma