Deployment Architecture

Can I delete /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/*

erw550
Explorer

Hello,
I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/

Similar files exist on a lot of our Splunk hosts and we get notifications daily about them because of log4j. So is it safe to delete the above path and similar? It is just replications right?

Thanks in advance!

0 Karma

SinghK
Builder

check this out  it has all the details, i think there were some updated versions in that fixed the vulnerability.

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

0 Karma

erw550
Explorer

Yes, we have followed the instructions from the link you provided. But it does not mention if it is ok to the splunk_archiver app in /opt/splunk/var/run/searchpeers/<host>-1633305600/*. Is it just replication under /opt/splunk/var/run/searchpeers/<host>-1633305600/* and is it safe to delete it?

0 Karma

spodda01da
Explorer

Hi,

Our scan has too found log4j vulnerability under the path /opt/splunk/var/run/searchpeers/<host>...

Did you remove those files/folders from the location ?

Thanks,

0 Karma

erw550
Explorer

We have not removed them yet. Our Splunk environment is not effected since we do not have DFS enabled. But I am still trying to investigate whether we can delete those files so we don't get notified from the scan. Have you heard anything else?  

0 Karma

spodda01da
Explorer

I went ahead and removed log4j files from the specified locations. Although I get a Splunk alert which is expected (As per Splunk, it can be ignored), but the scan is clean. 

I am planning to follow the same on other Splunk servers.

Here is the URL for reference:

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

"Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. "

0 Karma