Getting Data In

After upgrading forwarder to 7.2.6 why is it not getting controlled by splunk user while restarting service?

ashikuma
Explorer

after upgrading forwarder to 7.2.6 it's not getting controlled by Splunk user(specifically aligned to Splunk only (non-root user)) while restarting service.

We upgrade Splunk UF to 7.2.6 from 6.x.x , everything is working as expected but while stop\start splunk service it's asking for authentication (mentioned below). And this message coming only once we enable boot start for Splunk user so that It can auto start after reboot. If we disable boot start then I am not getting these messages.

[user@servername ~]$ /usr/splunk/splunkforwarder/bin/splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Multiple identities can be used for authentication:

And you will get multiple user identities here after this above line, these are the user who's ID is synced with root user. And if I ask them to do they are able to restart Splunk but they have to choose their username and password , so to add splunk user here in identities list what we need to do. Is there a way to get rid of this.

Splunk UF version - 7.2.6
OS version - Red Hat Enterprise Linux Server release 7.6 (Maipo)

Do we need to tweak splunk configuration or make any entries in sudoer files on OS side.

0 Karma

bandit
Motivator

Summary of the issue:
Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start
Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start
Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start

systemd defaults to prompting for root credentials upon stop/start/restart of Splunk

Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd.

Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as):

sudo /opt/splunk/bin/splunk disable boot-start
sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0

Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as):

sudo /opt/splunkforwarder/bin/splunk disable boot-start
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0
0 Karma

gjanders
SplunkTrust
SplunkTrust

sudoers will not resolve this problem, refer to FrankVI's comments around the systemd usage in Splunk 7.2
If you choose to stay with systemd in the particular Splunk 7.2 version or above refer to:
https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html

That will provide a solution to remove the password prompt, if not feel free to use init.d if that is preferred!

0 Karma

FrankVl
Ultra Champion

This is due to Splunk using systemd to manage the Splunk process by default in certain 7.2.x versions. If you want to get rid of this, you can enable boot start with the old method by adding -systemd-managed 0 https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice#Additional_optio...

harsmarvania57
SplunkTrust
SplunkTrust

Update: Since 7.3 default is -systemd-managed 0 (Splunk reverted default configuration which they introduced in 7.2.2)

FrankVl
Ultra Champion

Oh, cool, didn't know that 🙂

Edited my answer to clarify systemd is only the default in certain 7.2.x versions.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

This is due to systemd changes introduced by Splunk in 7.2.2, have a look at answers post https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html which explains this behavior and solution.

0 Karma

DavidHourani
Super Champion

Hi @ashikuma,

Did you follow the steps mentioned here :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/RunSplunkassystemdservice#Configure_systemd...
How did you set this up exactly ?

0 Karma

ashikuma
Explorer

we enabled it using command : /usr/splunk/splunkforwarder/bin/splunk enable boot-start -user
and it's making entries under /etc/init.d/splunk in linux boxes, but when we upgraded it to 7.2.6 we lost control on stop\start service , so as per above document do we need to use systemd to control splunk.
My questions is same thing working in splunk UF version lowes version 6.x.x but not on 7.2.6.

I would say just try same to install in your test env. once for same scenario.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...