Deployment Architecture

Can I delete /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/*?

erw550
Path Finder

Hello,
I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/

Similar files exist on a lot of our Splunk hosts and we get notifications daily about them because of log4j. So is it safe to delete the above path and similar? It is just replications right?

Thanks in advance!

SinghK
Builder

check this out  it has all the details, i think there were some updated versions in that fixed the vulnerability.

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

0 Karma

erw550
Path Finder

Yes, we have followed the instructions from the link you provided. But it does not mention if it is ok to the splunk_archiver app in /opt/splunk/var/run/searchpeers/<host>-1633305600/*. Is it just replication under /opt/splunk/var/run/searchpeers/<host>-1633305600/* and is it safe to delete it?

spodda01da
Path Finder

Hi,

Our scan has too found log4j vulnerability under the path /opt/splunk/var/run/searchpeers/<host>...

Did you remove those files/folders from the location ?

Thanks,

0 Karma

erw550
Path Finder

We have not removed them yet. Our Splunk environment is not effected since we do not have DFS enabled. But I am still trying to investigate whether we can delete those files so we don't get notified from the scan. Have you heard anything else?  

0 Karma

bwoodward22
Loves-to-Learn

@erw550  Where you able to succesfully remove /opt/splunk/var/run/searchpeers/<hostname>/apps/splunk_archiver/* without any issue?

0 Karma

spodda01da
Path Finder

I went ahead and removed log4j files from the specified locations. Although I get a Splunk alert which is expected (As per Splunk, it can be ignored), but the scan is clean. 

I am planning to follow the same on other Splunk servers.

Here is the URL for reference:

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

"Upon removal of these jar files, an administrator may see errors at Splunk startup pertaining to file integrity, specific to these jar files. These are expected as you are removing these unused jar files as a workaround. These errors may be ignored. "

Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...