Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sc4s failed unauthorized access

mayvisible
Loves-to-Learn Lots
‎09-25-2024 07:25 AM

Hi Everyone,

I am not Splunk engineer but I have task to do. sc4s.service is failed. Can't get the logs. It was working before. 

As an error it says 'Unauthorized access'. But I don't have any credentials for that. 

Environment="SC4S_IMAGE=docker.io/splunk/scs:latest" 

Could you help me please how to fix it?

Thanks, 

Labels (2)
Labels
0 Karma
Reply

marnall
Motivator
‎09-25-2024 01:58 PM

At first glance it does not seem that that SC4S_IMAGE exists or is accessible. If you try to docker pull it, it says it either does not exist or needs credentials. 

Could you check the journalctl logs for the service to see if there are errors or notes around that error which would add context to it?

sudo journalctl -u sc4s.service

0 Karma
Reply

mayvisible
Loves-to-Learn Lots
‎09-26-2024 06:43 AM

Hi Marnall,

Thanks for your response. Former employee configures the sc4s. So I don't have any credentials for that. Here are the journalctl logs: 


podman[2480968]: Trying to pull docker.io/splunk/scs:latest...
podman[2480968]: Error: Error initializing source docker://splunk/scs:>
podman[2480968]: denied: requested access to the resource is denied
podman[2480968]: unauthorized: authentication required
systemd[1]: sc4s.service: Control process exited, code=exited status=1>
systemd[1]: sc4s.service: Failed with result 'exit-code'.
systemd[1]: Failed to start SC4S Container.

docker.io/splunk/scs:latest... this is not the same location which is written is Splunk documentation. Even I change it and restart, it is still failed. 

0 Karma
Reply

marnall
Motivator
‎09-26-2024 12:01 PM

It appears to be failing to pull the docker image.

This guide for setting up sc4s suggests using a different value for SC4S_IMAGE https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/podman-systemd-general/#unit-...

Is "ghcr.io/splunk/splunk-connect-for-syslog/container3:latest" the SC4S_IMAGE value you tried?

0 Karma
Reply

mayvisible
Loves-to-Learn Lots
‎09-27-2024 07:08 AM

Yes, I used that image but it still didn't work. Thanks for sharing the documentation.

0 Karma
Reply

marnall
Motivator
‎09-28-2024 12:24 PM

Does it produce different errors than "Unauthorized access" when you use other images?

0 Karma
Reply

mayvisible
Loves-to-Learn Lots
‎09-30-2024 05:47 AM

No, It gave the same error "Unauthorized access" 

0 Karma
Reply

marnall
Motivator
‎10-09-2024 12:13 PM

Perhaps you could try remaking the sc4s using the official guide. It may take less time than trying to debug the current instance.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...