Deployment Architecture

Removing Log4j Version 2 from Splunk Enterprise - Disabling the default Bucket Copy Trigger

KayBeesKnees83
Path Finder

Greetings,

Where can I disable the default Bucket Copy Trigger search to prevent jar files from returning in Splunk? Also, which splunk instance does this search need to be disabled? Please see below: 

"Jar files matching the same filename of the files found in the directories above, but found in other directories on your Splunk instances are likely from normal Splunk operation (e.g. search head bundle replication) and can be safely deleted. If any jar files return in the splunk_archiver app, disabling the default Bucket Copy Trigger search in that app will stop this behavior from happening. " 

My Splunk architecture (airgapped) includes the following: 

1 Search Head 

1 Heavy Forward

1 Deployment Server

1 Cluster Master/License Master (operating as the same instance)

7 Indexers (all clustered)

Within my distributed environment, just want to know where to disable this search to prevent this from happening again. 

Thank you. 

-KB 

Labels (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

The search will definitely run on the search head so disable it there.
You can see the search in the audit index and additionally in the remote_ searches log on the indexers.

I don't believe the cluster master or indexers trigger this but it is safe to disable it. It related to hadoop data roll functionality 

0 Karma

KayBeesKnees83
Path Finder

Hi gjanders,

Thank you for  your reply and the information you provided. How do I disable this functionality/search in the Search Head? Specifically, is there a conf.file to disable or is there another way to disable the search? 

Thank you. 

-KB 

Tags (1)
0 Karma

rashiagrawal
Loves-to-Learn Lots

@KayBeesKnees83  - please let me know how did you finally disabled the "Bucket trigger" in savedsearch. 

Which savedsearch.conf file was used . 

I am suffering from the issue and looking for the correct way to disable this setting .

 

0 Karma

KayBeesKnees83
Path Finder

I upgraded to Splunk v8.2.4 and deleted all the files as listed in the "Log4j report" from Splunk. However, if the aforementioned do not resolve your issue. You can disable the app completely. Search for the app "Bucket Copy" and just disable the app. 

I hope this helps. 

-KB 

Tags (1)
0 Karma

rashiagrawal
Loves-to-Learn Lots

Is there app named "Bucket copy" or "splunk_archiver".

 

 

0 Karma

KayBeesKnees83
Path Finder

It is the "splunk_archiver" -- the Bucket Copy Trigger search is located within that app. 

0 Karma

diptij
Path Finder

Isn't the bucket copy functionality necessary in Splunk?

0 Karma

KayBeesKnees83
Path Finder

No, it is not a necessary functionality in Splunk. 

0 Karma

diptij
Path Finder

So [Bucket Copy Trigger] actually calls archivebuckets, which calls copybuckets.  The archiving was leading me to question if the functionality is necessary because buckets do get moved from hot, warm, cold, archive.

In any splunk install (head or indexer) I just need to do the following:

1.  copy  $SPLUNK_HOME/etc/apps/splunk_archiver/default/savedsearches.conf to $SPLUNK_HOME/etc/aps/splunk_archiver/local/savedsearches.conf

2. Update local/savedsearches.conf so under [Bucket Copy Trigger]

     change enableSched = 1 to  enableSched = 0

Anything else?

0 Karma

KayBeesKnees83
Path Finder

Looks good. I would also restart splunkd for good measure. 

0 Karma

diptij
Path Finder

It ends up that in the local/savedsearches.conf you have to also add disabled=1 also

0 Karma

rashiagrawal
Loves-to-Learn Lots

Thank you. I have found the app on search head and disabled it. 

0 Karma

gjanders
SplunkTrust
SplunkTrust

I don't have access to a Linux Splunk instance to test right now, but it should either be a "archive buckets" or "archive buckets trigger" saved search.

You can disable it via the Settings -> saved searches, or by creating a savedsearches.conf with the stanza and setting disabled=1

Or you could disable the entire app, I would disable the app personally...

0 Karma

gjanders
SplunkTrust
SplunkTrust

With that said the | archivebuckets command might still work with the savedsearch disabled, it should fail once the app is disabled...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...