Getting Data In

Why is Splunk UF not able to send log from Solaris sparc OS?

Jaki001
Explorer

Dears

I have installed  splunk UF V8.1.3 on Solaris sparc server V11.5.we are not getting any log from those servers apart from _internal logs.
we did below checks.

1.connection fine- telnet happening connected

2.splunkd log -connected to hf and refusing in few seconds.

3.directory path is fine in input.conf file.

4.nothing found in HF audit log.

5.checked firewall logs showing server rest and client reset.

6.debug log collected and share with support team no root cause found.

Can you please help on this? 

What could be the issue? Is there any configuration need to modified?

BR,

Jakir

Labels (1)
0 Karma

Jaki001
Explorer

Hello @gcusello ,

Is there any way to find out UF is facing a permission issue while reading the logs?

0 Karma

gcusello
Legend

Hi @Jaki001,

you have to check the read permissions on the file to read for group and others, in this way you will know if the user you're using to run Splunk is enabled to read the files, if not, you have three ways:

  • to change the user you're using to run Splunk (I don't like this solution but it's the easier),
  • to change the group of the user you're using to run Splunkadding the same group of the files to read,
  • to change the rights on the files adding read grants (4) to others.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Check from splunkd.log if there is something. Another easy way is just login to splunk user (what ever it is in your environment) and then try to look those file with tail -5 <file>. If you can see it's content then that user has access to this file.

r. Ismo

gcusello
Legend

Hi @Jaki001,

if you're receiving Splunk internal logs, the connection is OK, so you have to debug the inputs.

At first check if the user that you're using to run Splunk (on Forwarder) has the grants to read the files to monitor.

Then you can see the splunkd logs on the forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log or on Splunk running a search on _internal to see what's the problem.

Usually the problem are the grants.

If you continue to have problems, you can open a Case to Splunk Support, because your platform is in the compatible list https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements (only for Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...