Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Will Splunk Enterprise ever fully support for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be more specific, anyone know when there will be full support for RHEL 7? With services being moved over to systemd, Splunk is still using the deprecated init.d script.
I have moved it over to a systemd service script and running it manually will stop, start, and restart the service but if I update an application and restart it through the browser it just stops the service.
You would think that since almost every linux OS is going to systemd, and has been for years now, that Splunk would update its software to recognize and do both.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The truth is most companies still fear systemd 🙂 and admins are still catching up to the reality in large organisations.
I've used the workaround for quite long now as per https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
- Copy the contents which suite you into your version control
- After installation of Splunk, just copy this file as splunkd.service
- Then access like
sudo systemctl enable splunkd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summary of the issue:
Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start
Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start
Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start
systemd defaults to prompting for root credentials upon stop/start/restart of Splunk
Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd.
Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunk/bin/splunk disable boot-start
sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0
Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunkforwarder/bin/splunk disable boot-start
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The init script doesn't bother me that much; the bigger pain is Splunk_TA_nix needing updated; specifically the service list that is practically useless. Red Hat 7 has only been out 3.5 years, you would think they would want to be able to easily list the service on a server considering its importance for security and operations. We do have support and I've opened support cases, I've spoken to people to try and get this on the road map, but they don't seem to really care.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The truth is most companies still fear systemd 🙂 and admins are still catching up to the reality in large organisations.
I've used the workaround for quite long now as per https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
- Copy the contents which suite you into your version control
- After installation of Splunk, just copy this file as splunkd.service
- Then access like
sudo systemctl enable splunkd
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
