- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: sc4s failed unauthorized access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sc4s failed unauthorized access
Hi Everyone,
I am not Splunk engineer but I have task to do. sc4s.service is failed. Can't get the logs. It was working before.
As an error it says 'Unauthorized access'. But I don't have any credentials for that.
Environment="SC4S_IMAGE=docker.io/splunk/scs:latest"
Could you help me please how to fix it?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At first glance it does not seem that that SC4S_IMAGE exists or is accessible. If you try to docker pull it, it says it either does not exist or needs credentials.
Could you check the journalctl logs for the service to see if there are errors or notes around that error which would add context to it?
sudo journalctl -u sc4s.service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Marnall,
Thanks for your response. Former employee configures the sc4s. So I don't have any credentials for that. Here are the journalctl logs:
podman[2480968]: Trying to pull docker.io/splunk/scs:latest...
podman[2480968]: Error: Error initializing source docker://splunk/scs:>
podman[2480968]: denied: requested access to the resource is denied
podman[2480968]: unauthorized: authentication required
systemd[1]: sc4s.service: Control process exited, code=exited status=1>
systemd[1]: sc4s.service: Failed with result 'exit-code'.
systemd[1]: Failed to start SC4S Container.
docker.io/splunk/scs:latest... this is not the same location which is written is Splunk documentation. Even I change it and restart, it is still failed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears to be failing to pull the docker image.
This guide for setting up sc4s suggests using a different value for SC4S_IMAGE https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/podman-systemd-general/#unit-...
Is "ghcr.io/splunk/splunk-connect-for-syslog/container3:latest" the SC4S_IMAGE value you tried?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I used that image but it still didn't work. Thanks for sharing the documentation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it produce different errors than "Unauthorized access" when you use other images?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, It gave the same error "Unauthorized access"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps you could try remaking the sc4s using the official guide. It may take less time than trying to debug the current instance.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
