Deployment Architecture

Deployment Server unable to phone home

New Member

I recently upgraded from 4.3 to 6.3.3 using an RPM update. I followed the recommendations of Splunk and upgraded from 4.3 to 6.0 and then to 6.3.3. All went well. I now see on my deployment server that it cannot phone home.

I see the error...
04-22-2016 12:50:10.302 +0000 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.yyy.yy_8089_mydeployment_server
04-22-2016 12:50:14.746 +0000 INFO ClientSessionsManager:Listener_AppEvents - Received count=3 AppEvents from DC name=defaultforwarder
04-22-2016 12:50:14.746 +0000 INFO ClientSessionsManager - name=defaultforwarder Updating record for sc=jbossStatistics app=JBossStatistics: action=Install result=Ok checksum=9537295459324277384
04-22-2016 12:50:14.746 +0000 INFO ClientSessionsManager - name=defaultforwarder Updating record for sc=jbossUF app=JBOSS_UF: action=Install result=Ok checksum=9364516596849177361
04-22-2016 12:50:14.746 +0000 INFO ClientSessionsManager - name=defaultforwarder Updating record for sc=systemCheck app=unix: action=Install result=Ok checksum=14281476786925036628
04-22-2016 12:50:15.549 +0000 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin

Actually I am not sure if this message is from the deployment server or one of the other but I do know...
1) All my indexers (16) are working.
2) All my 700+ forwarders are forwarding to the indexers.
3) All the indexers and forwarders are able to phone home because I see them come into the Deployment server.
4) We are able to query and get no error messages complaining about missing indexers.
5) The data looks good from all sources.

I just cannot figure out why the Deployment server is not phoning home.

It apparently is trying to use the login and password. I assumed all the old passwords I was using were preserved.

FYI: Some name and IP were masked to protect the innocent.

Any help is appreciated.

0 Karma

Path Finder

The Deployment Server represents 'home' to ONLY those nodes running a forwarder client (who can then 'phone home' to the deployment server). The deployment server should not be running a universal or heavy forwarder because you are running the core enterprise software, wherein, you are directing output (_internal index goodies) directly to the indexer (forwarding and indexing configuration). Both the forwarder and the core installation utilize the splunkd process, so cannot physically both be running on the same node. The deployment server is 'home' and the source of your forwarder inputs sent to your forwarding nodes. I hope this helps.

In Splunk search for the log entry above and take note of the 'source' and 'host' values. This will tell you which node is responsible for generating the event.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...