Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamfwd pcap filter compilation error

Mit
Observer
a week ago

I'm attempting to set up an Independent Stream Forwarder on a RHEL machine to collect netflow data, and have it forwarded to HEC on another machine. I have most of the configuration worked out, but when I start the streamfwd service I am receiving the following log messages:

INFO  [140109244728192] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer
ERROR [140109244728192] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor pcap filter 'not (host REDACTED and port 443) and not (host $decideOnStartup and port 8088)' compilation error: aid supported only on ARCnet
FATAL [140109244728192] (CaptureServer.cpp:2338) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer

 

I don't know where it's getting that filter. I attempted to set the below line in streamfwd.conf with a valid BPF, but it doesn't seem to honor it and continues with the same error.

streamfwdcapture.<N>.filter = <BPF>

 

I'm not necessarily concerned at this point with getting a working filter, but I assume the filter in the log message is the issue, since it's the only error in the log. Appreciate any help, thanks in advance.

Labels (2)
Labels
0 Karma
Reply

kiran_panchavat
Influencer
Sunday

@Mit 

Can you check this. https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-stream... 

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...