Getting Data In

What does "blockSignatureDatabase tag required in config" mean?

jkst1972
Explorer

I use Universal Forwarder (UF) and try to configure it using DeploymentServer located on det index server. The application/config meant to be placed on the UF is not found on the UF. During startup of the UF the following is written in the splunkd.log;

...
05-30-2011 15:25:08.540 +0200 ERROR IndexProcessor - 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.560 +0200 ERROR IndexProcessor - Index configuration error: 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.573 +0200 WARN HttpPubSubConnection - Received message for an unsubscribed channel: deploymentServer/phoneHome/default/reply/[
* server name - masked out ** ]/deploymentClient
05-30-2011 15:25:08.575 +0200 ERROR pipeline - Index configuration error: 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.575 +0200 ERROR PipelineComponent - The pipeline indexerPipe threw an exception during initialize
05-30-2011 15:25:08.575 +0200 INFO PipelineComponent - Shutting down system due to fatal error
...*

Note that on the same server as the UF is running it is also running an old LightForwarder in parallell on a different management port. This is done because we are setting up a new Splunk environment and want to keep the old as it is with an overlap of data.
Anyone who can help me understand what this mean and how I can solve this?

0 Karma
1 Solution

jkst1972
Explorer

I found the solution here;
When I deployed apps and config through deployment server I named one the application SplunkUniversalForwarder. That is the same as the standard application for the UniversalForwarder. This caused the SplunkUniversalForwarder app to be overwritten and parts of its config was lacking. The result was that the Universal Forwarder no longer was interpreted as one. F.ex. was signing expected.

View solution in original post

jkst1972
Explorer

I found the solution here;
When I deployed apps and config through deployment server I named one the application SplunkUniversalForwarder. That is the same as the standard application for the UniversalForwarder. This caused the SplunkUniversalForwarder app to be overwritten and parts of its config was lacking. The result was that the Universal Forwarder no longer was interpreted as one. F.ex. was signing expected.

dwaddle
SplunkTrust
SplunkTrust

Good find. I would have never guessed that.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

The two do not sound related. The blockSignatureDatabase option is related to IT data block signing, and has nothing to do with DeploymentServer. http://www.splunk.com/base/Documentation/latest/Admin/ITDataSigning

Basically, if you have an index configured with blockSignSize= then you also need a blockSignatureDatabase= setting in indexes.conf. On an indexer, this should be set by default.

It also does not make sense to set up block signatures on a forwarder, as no data is actually stored there. Perhaps you have an app that is deployed via deployment server pushing an indexes.conf with these settings?

0 Karma

jkst1972
Explorer

I agree with you.
1) It is not raelated to deployment server. It seems to work fine. The correct apps is deployed to the UF from the deployment server.
2)Signing on forwarder doesnt make sense. I tested if there where any indexes config on the UF (using "splunk cmd btool indexes list --debug") but nothing was found.

I also removed the old light forwarder running on the same server as the UF. Same error still inn splunkd.log

0 Karma

jkst1972
Explorer

i wrote "the application/config meant to be placed on the UF is not found on the UF" That is wrong. Config is deployed to the UF by the deployment server. But no data is sent to the indexer from the UF.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...