Running a vm firewall which is running on FreeBSD. I installed the Splunk universal forwarder, and it can run just fine and forward logs to my Splunk Light instance.
However, when I try to enable splunk forwarder to start on boot "sudo splunk enable boot-start", it returns the error: "Can't access "/etc/rc.conf": No such file or directory." I did find /etc/rc.d/splunk, which says its the "init script for Splunk" and is "generated by 'splunk enable boot-start'."
Is something borked with my install?
Did you run that command as root? I can't imagine /etc/rc.conf being absent on a FreeBSD instance, so the most likely culprit would tend to be permissions.
Confirmation there is no rc.conf file:
root@OPNsense:~ # ls -l /etc | grep rc
-rw-r--r-- 1 root wheel 176 May 20 19:38 csh.cshrc
-rw-r--r-- 1 root wheel 5109 Mar 29 01:30 rc
-rw-r--r-- 1 root wheel 4543 Mar 26 09:25 rc.bsdextended
drwxr-xr-x 3 root wheel 512 May 5 19:50 rc.conf.d
drwxr-xr-x 2 root wheel 3072 May 24 18:06 rc.d
-rw-r--r-- 1 root wheel 18561 Mar 26 09:25 rc.firewall
-rw-r--r-- 1 root wheel 12791 Mar 26 09:25 rc.initdiskless
-rwxr-xr-x 1 root wheel 2139 Mar 26 09:25 rc.resume
-rw-r--r-- 1 root wheel 3515 Mar 29 01:30 rc.shutdown
-rw-r--r-- 1 root wheel 49880 Mar 26 09:25 rc.subr
-rwxr-xr-x 1 root wheel 2267 Mar 26 09:25 rc.suspend
Maybe OPNsense removed it in their install image? I don't see why they'd do that though.
Ahhh, well, I can't comment on OPNsense. You can use files in rc.conf.d instead of putting things in rc.conf. It probably won't break things to just create rc.conf and let splunk put its "_enable" line in there.
Ok, what should be in the rc.conf (or conf.c) file? There exists no splunk file in either directory currently, so first I'd like to create the needed file in conf.d and see if that works, just to retain the existing file structure.
rc.conf can be empty, so I'd try creating an empty file first.
Note: I'm not suggesting this is valid in OPNsense. Please consider all of this at your own risk.
I understand. After creating the file, running "splunk enable boot-start" worked, said the splunk startup script was created in /etc/rc.d, and I noticed that the /etc/rc.conf file contained the following:
However, after rebooting, checking splunk status returned the following:
splunkd 8578 was not running.
Stopping splunk helpers...
Removing stale pid file... done.
Could this be a problem with the FreeBSD version of the universal forwarder client?
Try giving it another reboot, since it seems there was a stale pidfile that time.
However, even if it starts this time, it doesn't mean things are "ok" with splunk not starting on boot due to a stale pidfile.
I haven't ever had issues with the FreeBSD UF starting on boot, but that certainly doesn't mean there aren't bugs.
the file doesn't exist. do this to create it
then run then enable boot-start command
this will actually create the startup script in /etc/rc.d/splunk and in /etc/rc.conf you will now see, splunk_enable="YES"
If it doesn't auto start, copy the splunk_enable line from /etc/rc.conf into /etc/rc.conf.d/splunk