Solved: forwarder for ARM: /opt/splunkforwarder/bin/splunk...

idsiano · ‎11-21-2014

Guys, i'm getting crazy with the installation of the universal forwarder for ARM

I followed all the instructions here provided.
I'm root user.
The system is an arm 32 bit:

root@arm:/# uname -a
Linux arm 3.0.35-wand6.3 #2 SMP PREEMPT Fri Oct 17 15:59:49 CEST 2014 armv7l GNU/Linux

I downloaded the tgz, and installed it with :

tar zxvf forwarder-for-linux-arm-raspberry-pi_10.tgz -C /opt

When I tried to setup the start at the boot, i get the error.
All other binaries get the same error.
Here is the output after invoked splunk

root@arm:/# /opt/splunkforwarder/bin/splunk
-bash: /opt/splunkforwarder/bin/splunk: No such file or directory

Permissions should be ok:

¨root@arm:/opt/splunkforwarder/bin#  ls -l
total 17336
-r-xr-xr-x 1 root root    34304 Sep 28  2013 btool
-r-xr-xr-x 1 root root    34304 Sep 28  2013 btprobe
-r-xr-xr-x 1 root root    26748 Sep 28  2013 bzip2
-r-xr-xr-x 1 root root    34304 Sep 28  2013 classify
-r--r--r-- 1 root root       57 Sep 28  2013 copyright.txt
-r-xr-xr-x 1 root root     2367 Sep 28  2013 genRootCA.sh
-r-xr-xr-x 1 root root      206 Sep 28  2013 genSignedServerCert.sh
-r-xr-xr-x 1 root root      144 Sep 28  2013 genWebCert.sh
-r-xr-xr-x 1 root root   508556 Sep 28  2013 openssl
drwxr-xr-x 2 root root     4096 Sep 28  2013 scripts
-r--r--r-- 1 root root     1135 Sep 28  2013 setSplunkEnv
-r-xr-xr-x 1 root root   266296 Sep 28  2013 splunk
-r-xr-xr-x 1 root root 16790988 Sep 28  2013 splunkd
-r-xr-xr-x 1 root root    11144 Sep 28  2013 splunkmon

Dependencies seems that are all satisfied:

root@arm:/# ldd /opt/splunkforwarder/bin/splunk
        libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x402a4000)
        libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x400e1000)
        libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x402af000)
        /lib/ld-linux.so.3 => /lib/ld-linux-armhf.so.3 (0x400c2000)
root@arm:/opt/splunkforwarder/bin# eu-readelf -d /opt/splunkforwarder/bin/splunk  | grep NEEDED
  NEEDED            Shared library: [libdl.so.2]
  NEEDED            Shared library: [libpthread.so.0]
  NEEDED            Shared library: [libc.so.6]
root@arm:/opt/splunkforwarder/bin# find / -name "libdl.so.2"
/lib/arm-linux-gnueabihf/libdl.so.2
root@arm:/opt/splunkforwarder/bin# find / -name "libpthread.so.0"
/lib/arm-linux-gnueabihf/libpthread.so.0
root@arm:/opt/splunkforwarder/bin# find / -name "libc.so.6"
/lib/arm-linux-gnueabihf/libc.so.6

Here is the /lib content:

root@arm:/lib# ls
arm-linux-gnueabihf  libip4tc.so.0      libipq.so.0       libxtables.so.7      modules   xtables
firmware             libip4tc.so.0.1.0  libipq.so.0.0.0   libxtables.so.7.0.0  systemd
init                 libip6tc.so.0      libiptc.so.0      lsb                  terminfo
ld-linux-armhf.so.3  libip6tc.so.0.1.0  libiptc.so.0.0.0  modprobe.d           udev

and this is the strace output:

root@arm:/opt/splunkforwarder/bin# strace /opt/splunkforwarder/bin/splunk
execve("/opt/splunkforwarder/bin/splunk", ["/opt/splunkforwarder/bin/splunk"], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
dup(2)                                  = 3
fcntl64(3, F_GETFL)                     = 0x20002 (flags O_RDWR|O_LARGEFILE)
fstat64(3, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400ca000
_llseek(3, 0, 0xbec7e8d0, SEEK_CUR)     = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: No such file or di"..., 40strace: exec: No such file or directory
) = 40
close(3)                                = 0
munmap(0x400ca000, 4096)                = 0
exit_group(1)                           = ?

Any idea?

idsiano · ‎11-24-2014

looks like on a raspberry pi /lib/ld-linux.so.3 is missing. Creating it with ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib solved it.

View solution in original post

idsiano · ‎11-24-2014

looks like on a raspberry pi /lib/ld-linux.so.3 is missing. Creating it with ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib solved it.

xaratos · ‎08-05-2019

I have to say that worked for me too. I was running Armbian Linux on a banana pi and after that I was able to start the binaries.

securediversity · ‎09-13-2015

you saved my day! thanks.

After executing:
ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib/ld-linux.so.3

I can start the splunkforwarder on my cubietruck 😉

Linux cubietruck 3.4.108-sun7i+ #1 SMP PREEMPT Tue Jul 28 12:54:49 CEST 2015 armv7l armv7l armv7l GNU/Linux

c73 · ‎03-01-2016

Thankyou.

Running on a Next Thing Co C.H.I.P. after running:
ln -s /lib/arm-linux-gnueabihf/ld-linux.so.3 /lib/ld-linux.so.3

Linux chip 4.3.0 #10 SMP Sat Nov 14 19:10:05 PST 2015 armv7l GNU/Linux

chaicl · ‎06-05-2015

Thanks.

In that case, how can I set up SSH/SCP to pull the alert.1.gz? Is there somewhere I can look up instructions on how to set this up?

Thanks!

mdickey_splunk · ‎06-05-2015

What is alert.1.gz?

chaicl · ‎06-05-2015

It is the compressed snort alert log file on the Pi2. Was trying to set up forwarder to send the file to my splunk on my Mac 🙂

chaicl · ‎05-31-2015

Did not work for me on my Pi2 B+. Still same "command not found" bash error.,Did not work for me on Pi2 B+. Still trying to figure out why...

chaicl · ‎05-31-2015

Am running Kali with Snort on it.

forwarder for ARM: /opt/splunkforwarder/bin/splunk: No such file or directory

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application