Deployment Architecture

forwarder for ARM: /opt/splunkforwarder/bin/splunk: No such file or directory

idsiano
Explorer

Guys, i'm getting crazy with the installation of the universal forwarder for ARM

I followed all the instructions here provided.
I'm root user.
The system is an arm 32 bit:

root@arm:/# uname -a
Linux arm 3.0.35-wand6.3 #2 SMP PREEMPT Fri Oct 17 15:59:49 CEST 2014 armv7l GNU/Linux

I downloaded the tgz, and installed it with :

tar zxvf forwarder-for-linux-arm-raspberry-pi_10.tgz -C /opt

When I tried to setup the start at the boot, i get the error.
All other binaries get the same error.
Here is the output after invoked splunk

root@arm:/# /opt/splunkforwarder/bin/splunk
-bash: /opt/splunkforwarder/bin/splunk: No such file or directory

Permissions should be ok:

¨root@arm:/opt/splunkforwarder/bin#  ls -l
total 17336
-r-xr-xr-x 1 root root    34304 Sep 28  2013 btool
-r-xr-xr-x 1 root root    34304 Sep 28  2013 btprobe
-r-xr-xr-x 1 root root    26748 Sep 28  2013 bzip2
-r-xr-xr-x 1 root root    34304 Sep 28  2013 classify
-r--r--r-- 1 root root       57 Sep 28  2013 copyright.txt
-r-xr-xr-x 1 root root     2367 Sep 28  2013 genRootCA.sh
-r-xr-xr-x 1 root root      206 Sep 28  2013 genSignedServerCert.sh
-r-xr-xr-x 1 root root      144 Sep 28  2013 genWebCert.sh
-r-xr-xr-x 1 root root   508556 Sep 28  2013 openssl
drwxr-xr-x 2 root root     4096 Sep 28  2013 scripts
-r--r--r-- 1 root root     1135 Sep 28  2013 setSplunkEnv
-r-xr-xr-x 1 root root   266296 Sep 28  2013 splunk
-r-xr-xr-x 1 root root 16790988 Sep 28  2013 splunkd
-r-xr-xr-x 1 root root    11144 Sep 28  2013 splunkmon

Dependencies seems that are all satisfied:

root@arm:/# ldd /opt/splunkforwarder/bin/splunk
        libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x402a4000)
        libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x400e1000)
        libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x402af000)
        /lib/ld-linux.so.3 => /lib/ld-linux-armhf.so.3 (0x400c2000)
root@arm:/opt/splunkforwarder/bin# eu-readelf -d /opt/splunkforwarder/bin/splunk  | grep NEEDED
  NEEDED            Shared library: [libdl.so.2]
  NEEDED            Shared library: [libpthread.so.0]
  NEEDED            Shared library: [libc.so.6]
root@arm:/opt/splunkforwarder/bin# find / -name "libdl.so.2"
/lib/arm-linux-gnueabihf/libdl.so.2
root@arm:/opt/splunkforwarder/bin# find / -name "libpthread.so.0"
/lib/arm-linux-gnueabihf/libpthread.so.0
root@arm:/opt/splunkforwarder/bin# find / -name "libc.so.6"
/lib/arm-linux-gnueabihf/libc.so.6

Here is the /lib content:

root@arm:/lib# ls
arm-linux-gnueabihf  libip4tc.so.0      libipq.so.0       libxtables.so.7      modules   xtables
firmware             libip4tc.so.0.1.0  libipq.so.0.0.0   libxtables.so.7.0.0  systemd
init                 libip6tc.so.0      libiptc.so.0      lsb                  terminfo
ld-linux-armhf.so.3  libip6tc.so.0.1.0  libiptc.so.0.0.0  modprobe.d           udev

and this is the strace output:

root@arm:/opt/splunkforwarder/bin# strace /opt/splunkforwarder/bin/splunk
execve("/opt/splunkforwarder/bin/splunk", ["/opt/splunkforwarder/bin/splunk"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
dup(2)                                  = 3
fcntl64(3, F_GETFL)                     = 0x20002 (flags O_RDWR|O_LARGEFILE)
fstat64(3, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400ca000
_llseek(3, 0, 0xbec7e8d0, SEEK_CUR)     = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: No such file or di"..., 40strace: exec: No such file or directory
) = 40
close(3)                                = 0
munmap(0x400ca000, 4096)                = 0
exit_group(1)                           = ?

Any idea?

0 Karma
1 Solution

idsiano
Explorer

looks like on a raspberry pi /lib/ld-linux.so.3 is missing. Creating it with ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib solved it.

View solution in original post

idsiano
Explorer

looks like on a raspberry pi /lib/ld-linux.so.3 is missing. Creating it with ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib solved it.

xaratos
Explorer

I have to say that worked for me too. I was running Armbian Linux on a banana pi and after that I was able to start the binaries.

0 Karma

securediversity
Explorer

you saved my day! thanks.

After executing:
ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib/ld-linux.so.3

I can start the splunkforwarder on my cubietruck 😉

Linux cubietruck 3.4.108-sun7i+ #1 SMP PREEMPT Tue Jul 28 12:54:49 CEST 2015 armv7l armv7l armv7l GNU/Linux

0 Karma

c73
New Member

Thankyou.

Running on a Next Thing Co C.H.I.P. after running:
ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib/ld-linux.so.3

Linux chip 4.3.0 #10 SMP Sat Nov 14 19:10:05 PST 2015 armv7l GNU/Linux

0 Karma

chaicl
New Member

Thanks.

In that case, how can I set up SSH/SCP to pull the alert.1.gz? Is there somewhere I can look up instructions on how to set this up?

Thanks!

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

What is alert.1.gz?

0 Karma

chaicl
New Member

It is the compressed snort alert log file on the Pi2. Was trying to set up forwarder to send the file to my splunk on my Mac 🙂

0 Karma

chaicl
New Member

Did not work for me on my Pi2 B+. Still same "command not found" bash error.,Did not work for me on Pi2 B+. Still trying to figure out why...

0 Karma

chaicl
New Member

Am running Kali with Snort on it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...