Universal forwarder is unable to connect Deployment server . I see below error in Deployment server for the client Ip
10-11-2018 09:09:59.340 +0800 WARN ClientSessionsManager - Client with Id 'XXXXX-XX-XXX-XXX-XXXX' has changed some of its properties on the latest phone home.Old properties are: ip=XX.XX.XX.XXX dns=XX.XX.XX.XX hostname=XXXXXXX build=4b804538c686 uts=windows-x64 name=XXXXX-XX-XXX-XXX-XXXX. New properties are: ip=XX.XX.XX.XXX dns=XX.XX.XX.XX hostname=XXXXXXX build=4b804538c686 uts=windows-x64 name=XXXXX-XX-XXX-XXX-XXXX.
This issue happens due to duplicate GUID issue [If you have cloned multiple instances from the same OS image].
You can follow the below steps to resolve the issue:
gin to problem Universal forwarder .
Go to /opt/splunkforwarder/etc/ and rename instance.cfg to backup_instances.cfg
Restart the UF splunk service
Go to /opt/splunkforwarder/etc/ and check that new instance.cfg has been created
Go to DS and run below to see if the UF is connected and listed:
splunk list deploy-clients
List item
This issue happens due to duplicate GUID issue [If you have cloned multiple instances from the same OS image].
You can follow the below steps to resolve the issue:
gin to problem Universal forwarder .
Go to /opt/splunkforwarder/etc/ and rename instance.cfg to backup_instances.cfg
Restart the UF splunk service
Go to /opt/splunkforwarder/etc/ and check that new instance.cfg has been created
Go to DS and run below to see if the UF is connected and listed:
splunk list deploy-clients
List item
This worked for me as well. However, I would like to add there are 2 other places to ensure that your instance name matches the hostname - which is commonly related to this issue as well.
in $SPLUNK_HOME/etc/system/local/inputs.conf
check host=setting that may be the old hostname
in $SPLUNK_HOME/etc/system/local/server.conf
check servername= setting that may have the old hostname
Give me a thumbs up if you found this helpful 🙂
A thread with the same message - Client with Id ... has changed some of its properties on the latest phone home.
It's at - What do I look at in splunkd.log to troubleshoot deployment client issues?