"File Integrity checks found 1 files that did not ...

brent_weaver · ‎10-02-2017

I have no idea where this message is coming from. I see the subject message in the WebUI but when I restart splunk it tells me all is OK. Here is the output from a restart:

[dev]root@ip-10-94-18-55:/opt/splunk/etc/users:#/opt/splunk/bin/splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.............                                              [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.

Splunk> Needle. Haystack. Found.

Checking prerequisites...
    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking appserver port [127.0.0.1:8065]: open
    Checking kvstore port [8191]: open
    Checking configuration...  Done.
    Checking critical directories...    Done
    Checking indexes...
        Validated: _audit _internal _introspection _telemetry _thefishbucket aws_anomaly_detection aws_topology_daily_snapshot aws_topology_history aws_topology_monthly_snapshot aws_topology_playback aws_vpc_flow_logs history main summary
    Done


Bypassing local license checks since this instance is configured with a remote license master.

    Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [ui] in /opt/splunk/etc/apps/SA-ge_splunk_health/local/app.conf, line 12: version  (value:  1.0).
        Invalid key in stanza [calendar_heatmap] in /opt/splunk/etc/apps/calendar_heatmap_app/default/visualizations.conf, line 6: supports_drilldown  (value:  True).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
                                                           [  OK  ]

Waiting for web server at https://127.0.0.1:8000 to be available................. Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://ip-10-94-18-55:8000

I ran the REST API call to https://10.94.18.55:8089/services/server/status/installed-file-integrity and it tells me that the file /opt/splunk/etc/users/users.ini has been modified. What am I missing here?

ANy help is MUCH apprecaietd as this is very annoying.

darrenfuller · ‎10-04-2017

on my Splunk 6.5.1 Linux box, users.ini is empty:

0 -r--r--r--. 1 splunk splunk   0 Nov 18  2016 users.ini

darrenfuller · ‎10-03-2017

go to a fresh Splunk instance, copy /opt/splunk/etc/users/users.ini from the fresh instance to yours, be sure to keep the file modified times ... restart.

this will go away

brent_weaver · ‎10-04-2017

WHen I do this splunk complains about the missing [contrains-uppercase] section. So unfort this did not work.

[contains-uppercase]
212631038" = 212631038_.7c4b2bdd6b5f9690f1813a7ab9d6e76a
212611170" = 212611170_.d3b52ce6b4e8fdfbf8ec32f6d9f015ba

darrenfuller · ‎10-04-2017

same version/edition of Splunk on both?

darrenfuller · ‎10-04-2017

(and which version/OS are we talking about?

xisura · ‎10-02-2017

did you edit some files under the default folders ?

brent_weaver · ‎10-03-2017

The file is /opt/splunk/etc/users/users.ini that it is complaining about.

brent_weaver · ‎10-03-2017

I would never do that, so no.

"File Integrity checks found 1 files that did not match the system-provided manifest. See splunkd.log for details."

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!