Deployment Architecture

Can you update the Splunk manifest so that it will not throw warnings about it being modified?

Explorer

We had to change parts of Splunk that changed the manifest, and Splunk always complains that the manifest is different. I'd like to re-baseline it if possible, so this warning goes away. I don't have to really worry about updates to Splunk itself, which I know will change the manifest package.

I don't think it will make any difference, but I am using v6.5

Communicator

We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors.

sha256sum in installed on RHEL so we did this.

Get the new checksum.
Change the checksum in the manafest.
Validate.
Restart.

sha256sum /opt/splunk/share/GeoLite2-City.mmdb
c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37  /opt/splunk/share/GeoLite2-City.mmdb

vi /opt/splunk/splunk-*-manifest
f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37

splunk validate files
        Validating installed files against hashes from '/opt/splunk/splunk-*-manifest'
        All installed files intact.

splunk restart

Contributor

think you need to set the following in your limits.conf

[system_checks]
installed_files_integrity = disabled

Explorer

This is a work around that I already did, but I'm really trying to find a way to regenerate the manifest so that I can have my customizations in place, and it will still check to see if anyone else makes any changes.

0 Karma