Hello guys,
I would like you help on this:
I am getting this error when I am trying to install splunkclouduf.spl on windows Server 2012.
Did not find "disabled" setting of "kvstore" stanza in server bundle.
Couldn't complete HTTP request: Winsock error #10022
Event Viewer:
Faulting application name: SplunkD.EXE, version: 2048.256.24031.1943, time stamp: 0x5ddf0b24
Faulting module name: ucrtbase.DLL, version: 10.0.10586.212, time stamp: 0x56fa10e8
Exception code: 0xc0000409
Fault offset: 0x00000000000698fe
Faulting process id: 0x142c
Faulting application start time: 0x01d5cc7ddfb89889
Faulting application path: C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE
Faulting module path: C:\Program Files\SplunkUniversalForwarder\bin\ucrtbase.DLL
Report Id: 1e9fe115-3871-11ea-941d-44a8421b43ed
Faulting package full name:
Faulting package-relative application ID:
Hi @marceloamorim,
Did you follow the steps here for the install :
https://docs.splunk.com/Documentation/Splunk/latest/AddMSADCloud/Forwardercertificate#Install_the_fo...
If so could you please paste in what errors/warnings you're getting in your internal logs ?
Cheers,
David
Hey @DavidHourani , Thanks for answer!
Yes, I have followed this article, but when I type "splunk install app -auth :", I receive this message error:
Did not find "disabled" setting of "kvstore" stanza in server bundle.
Couldn't complete HTTP request: Winsock error #10022
This error is from event viewer:
Faulting application name: SplunkD.EXE, version: 2048.256.24031.1943, time stamp: 0x5ddf0b24
Faulting module name: ucrtbase.DLL, version: 10.0.10586.212, time stamp: 0x56fa10e8
Exception code: 0xc0000409
Fault offset: 0x00000000000698fe
Faulting process id: 0x142c
Faulting application start time: 0x01d5cc7ddfb89889
Faulting application path: C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE
Faulting module path: C:\Program Files\SplunkUniversalForwarder\bin\ucrtbase.DLL
Report Id: 1e9fe115-3871-11ea-941d-44a8421b43ed
Faulting package full name:
Faulting package-relative application ID:
could you please post what's in internal logs ? In splunkd.log
Hey @DavidHourani
here is the logs,
01-17-2020 08:05:00.383 -0800 WARN DC:DeploymentClient - DeploymentClient explicitly disabled through config.
01-17-2020 08:05:00.383 -0800 WARN SHCConfig - Default pass4symkey is being used. Please change to a random one.
01-17-2020 08:05:00.633 -0800 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
01-17-2020 08:05:00.992 -0800 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:
01-17-2020 08:05:01.008 -0800 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
thanks in advance.
Marcelo Amorim
is there any local firewall running on your machine ? Anything that might be blocking the traffic ?