Getting Data In

Why does enable Splunk Forwarder on boot FreeBSD display ""Can't access "/etc/rc.conf": No such file or directory" error?

Willman42
Explorer

Running a vm firewall which is running on FreeBSD. I installed the Splunk universal forwarder, and it can run just fine and forward logs to my Splunk Light instance.

However, when I try to enable splunk forwarder to start on boot "sudo splunk enable boot-start", it returns the error: "Can't access "/etc/rc.conf": No such file or directory." I did find /etc/rc.d/splunk, which says its the "init script for Splunk" and is "generated by 'splunk enable boot-start'."

Is something borked with my install?

0 Karma

micahkemp
Champion

Did you run that command as root? I can't imagine /etc/rc.conf being absent on a FreeBSD instance, so the most likely culprit would tend to be permissions.

0 Karma

Willman42
Explorer

Confirmation there is no rc.conf file:

root@OPNsense:~ # ls -l /etc | grep rc
-rw-r--r-- 1 root wheel 176 May 20 19:38 csh.cshrc
-rw-r--r-- 1 root wheel 5109 Mar 29 01:30 rc
-rw-r--r-- 1 root wheel 4543 Mar 26 09:25 rc.bsdextended
drwxr-xr-x 3 root wheel 512 May 5 19:50 rc.conf.d
drwxr-xr-x 2 root wheel 3072 May 24 18:06 rc.d
-rw-r--r-- 1 root wheel 18561 Mar 26 09:25 rc.firewall
-rw-r--r-- 1 root wheel 12791 Mar 26 09:25 rc.initdiskless
-rwxr-xr-x 1 root wheel 2139 Mar 26 09:25 rc.resume
-rw-r--r-- 1 root wheel 3515 Mar 29 01:30 rc.shutdown
-rw-r--r-- 1 root wheel 49880 Mar 26 09:25 rc.subr
-rwxr-xr-x 1 root wheel 2267 Mar 26 09:25 rc.suspend
root@OPNsense:~ #

Maybe OPNsense removed it in their install image? I don't see why they'd do that though.

0 Karma

micahkemp
Champion

Ahhh, well, I can't comment on OPNsense. You can use files in rc.conf.d instead of putting things in rc.conf. It probably won't break things to just create rc.conf and let splunk put its "_enable" line in there.

0 Karma

nhdpotter
Explorer

the file doesn't exist. do this to create it

touch /etc/rc.conf

then run then enable boot-start command

this will actually create the startup script in /etc/rc.d/splunk and in /etc/rc.conf you will now see, splunk_enable="YES"

If it doesn't auto start, copy the splunk_enable line from /etc/rc.conf into /etc/rc.conf.d/splunk

0 Karma

Willman42
Explorer

Ok, what should be in the rc.conf (or conf.c) file? There exists no splunk file in either directory currently, so first I'd like to create the needed file in conf.d and see if that works, just to retain the existing file structure.

0 Karma

micahkemp
Champion

rc.conf can be empty, so I'd try creating an empty file first.

Note: I'm not suggesting this is valid in OPNsense. Please consider all of this at your own risk.

0 Karma

Willman42
Explorer

I understand. After creating the file, running "splunk enable boot-start" worked, said the splunk startup script was created in /etc/rc.d, and I noticed that the /etc/rc.conf file contained the following:

"splunk_enable="YES""

However, after rebooting, checking splunk status returned the following:

splunkd 8578 was not running.
Stopping splunk helpers...

Done.
Stopped helpers.
Removing stale pid file... done.

Could this be a problem with the FreeBSD version of the universal forwarder client?

0 Karma

micahkemp
Champion

Try giving it another reboot, since it seems there was a stale pidfile that time.

However, even if it starts this time, it doesn't mean things are "ok" with splunk not starting on boot due to a stale pidfile.

I haven't ever had issues with the FreeBSD UF starting on boot, but that certainly doesn't mean there aren't bugs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...