Getting Data In

Files Integrity Checker error ?

Motivator

Hi All, We are getting this below message in our search head portal. We are using cluster search heads and splunk version 6.6.1

Search peer test.xxxx.com has the following message: Installed Files Integrity Checker: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem.

Kindly let me know how to fix this issue, I am very much new to this so not sure where to find the problem and troubleshoot the issue.
thanks in advance.

Tags (2)
0 Karma

Builder

Check the accepted answer for this one. I had a similar problem recently on a SHC. But in any case this will help you find the file that is not passing integrity checks.

https://answers.splunk.com/answers/453460/how-to-resolve-messages-about-file-integrity-check.html

Basically is says go here, host by host.

https://[your_splunk]:8089/services/server/status//installed-file-integrity

0 Karma

Motivator

Hi Duke, I tried the URL which you had shared in the above comment by updating the URL with my splunk but It did not respond, instead I got the message as "This site can't be reached"

https://my_splunk:8089/services/server/status/installed-file-integrity

Kindly guide me in this to resolve the issue.

thanks in advance.

0 Karma

Motivator

Duke, we could see this details, when we click the link from "Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View " and its directing to a Integrity check of installed files on this page under "List of installed files presenting integrity check failures"

File Path and check results differs.
/opt/splunk/etc/apps/search/default/data/ui/nav/default.xml

kindly let me know how to fix this issue.

0 Karma

Builder

Ok, so for this one you have edited a default file. As with so many things splunk, never edit /default/filename. Instead, edit /local/filename.

So in your case, copy the default.xml file from
/opt/splunk/etc/apps/search/default/data/ui/nav/default.xml
to
/opt/splunk/etc/apps/search/local/data/ui/nav/default.xml

You may have to make the directories.. not sure.

Then extract the contents of a Splunk install for your version, dig out the default.xml file, and put it back in
/opt/splunk/etc/apps/search/default/data/ui/nav/default.xml

Or copy it from another server that is not failing the integrity check.

You may have to do some comparing on the files, to see if the xml file has changes worth keeping or if it's just an older version of the file.

0 Karma

Motivator

Hi Duke, thanks for putting your effort on this, we have checked below path and found only views directory under ui folder.

/opt/splunk/etc/apps/search/local/data/ui/views

Unlike in the default folder we could see the some additional directories in it.

/opt/splunk/etc/apps/search/default/data/ui/
manager
nav
quickstart
views
and we could see the content of the default.xml is configured in all the 3 searched head cluster under the same path. The content of the default.xml is configured to direct the link to our wiki article from the splunk web console.

How to extract the contents of a splunk install for my version 6.6.1 and diag out the default.xml file from it. And also in this case do we need to copy all the folders from default directory to local directory. Kindly guide me.

Thanks in advance.

0 Karma

Builder

You will need to get the linux .tgz splunk file for your version, and extract it to a temporary location. Then using linux cp command to put the file default.xml where it needs to go.

You tar command will look something like this.

tar zxf splunk-xxxxxxx-Linux-x86_64.tgz -C /tmp/

OR.. Extract it using winrar on a Windows box, and use a tool like winscp to copy the files around that way.

0 Karma

Motivator

Hi Duke, thanks for your effort on this, I have checked another splunk instance which is running with the same build version 6.6.1 as the search head cluster instance. This particular instance is used as Deployment server and when verified the file/ path /opt/splunk/etc/apps/search/default/data/ui/nav/deafult.xml found the below details, hope this should be the default file.

My question can I follow the below steps:

Step 1) Need to back up the default.xml file which is present in the search head cluster.

 /opt/splunk/etc/apps/search/default/data/ui/nav/default.xml

Step 2) Next need to copy the default.xml from Deployment server to the search head cluster paste it under the below location.

/opt/splunk/etc/apps/search/default/data/ui/nav/default.xml

Step 3) The default.xml file which was backup from the search head cluster should be placed under the local directory in all the search head cluster environment.

/opt/splunk/etc/apps/search/local/data/ui/nav/default.xml

including the below directories taken from /opt/splunk/etc/apps/search/default/data/ui/

manager
nav
quickstart
Views

step 4) Restart the splunk services.

Kindly guide me whether, I can follow the above steps to fix this issue.

0 Karma

Motivator

Hi Duke, Can I follow the above steps to fix the issue. Kindly guide me on this as it is done on production environment.

thanks in advance.

0 Karma

Motivator

Hi Duke, Good Morning Could please guide me on this, As I need to fix this problem in Production environment.

thanks in advance.

0 Karma

Motivator

Duke can you tell me whether, the above steps can be followed to get this issue fixed.

thanks in advance.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!