Hello,
I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/
Similar files exist on a lot of our Splunk hosts and we get notifications daily about them because of log4j. So is it safe to delete the above path and similar? It is just replications right?
Thanks in advance!
check this out it has all the details, i think there were some updated versions in that fixed the vulnerability.
Yes, we have followed the instructions from the link you provided. But it does not mention if it is ok to the splunk_archiver app in /opt/splunk/var/run/searchpeers/<host>-1633305600/*. Is it just replication under /opt/splunk/var/run/searchpeers/<host>-1633305600/* and is it safe to delete it?
Hi,
Our scan has too found log4j vulnerability under the path /opt/splunk/var/run/searchpeers/<host>...
Did you remove those files/folders from the location ?
Thanks,
We have not removed them yet. Our Splunk environment is not effected since we do not have DFS enabled. But I am still trying to investigate whether we can delete those files so we don't get notified from the scan. Have you heard anything else?
@erw550 Where you able to succesfully remove /opt/splunk/var/run/searchpeers/<hostname>/apps/splunk_archiver/* without any issue?
I went ahead and removed log4j files from the specified locations. Although I get a Splunk alert which is expected (As per Splunk, it can be ignored), but the scan is clean.
I am planning to follow the same on other Splunk servers.
Here is the URL for reference:
"Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. "