Getting Data In

sc4s failed unauthorized access

mayvisible
Loves-to-Learn Lots

Hi Everyone,

I am not Splunk engineer but I have task to do. sc4s.service is failed. Can't get the logs. It was working before. 

As an error it says 'Unauthorized access'. But I don't have any credentials for that. 

Environment="SC4S_IMAGE=docker.io/splunk/scs:latest" 

Could you help me please how to fix it?

Thanks, 

Labels (2)
0 Karma

marnall
Motivator

At first glance it does not seem that that SC4S_IMAGE exists or is accessible. If you try to docker pull it, it says it either does not exist or needs credentials. 

Could you check the journalctl logs for the service to see if there are errors or notes around that error which would add context to it?

sudo journalctl -u sc4s.service

0 Karma

mayvisible
Loves-to-Learn Lots

Hi Marnall,

Thanks for your response. Former employee configures the sc4s. So I don't have any credentials for that. Here are the journalctl logs: 


podman[2480968]: Trying to pull docker.io/splunk/scs:latest...
podman[2480968]: Error: Error initializing source docker://splunk/scs:>
podman[2480968]: denied: requested access to the resource is denied
podman[2480968]: unauthorized: authentication required
systemd[1]: sc4s.service: Control process exited, code=exited status=1>
systemd[1]: sc4s.service: Failed with result 'exit-code'.
systemd[1]: Failed to start SC4S Container.

docker.io/splunk/scs:latest... this is not the same location which is written is Splunk documentation. Even I change it and restart, it is still failed. 

0 Karma

marnall
Motivator

It appears to be failing to pull the docker image.

This guide for setting up sc4s suggests using a different value for SC4S_IMAGE https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/podman-systemd-general/#unit-...

Is "ghcr.io/splunk/splunk-connect-for-syslog/container3:latest" the SC4S_IMAGE value you tried?

0 Karma

mayvisible
Loves-to-Learn Lots

Yes, I used that image but it still didn't work. Thanks for sharing the documentation.

0 Karma

marnall
Motivator

Does it produce different errors than "Unauthorized access" when you use other images?

0 Karma

mayvisible
Loves-to-Learn Lots

No, It gave the same error "Unauthorized access" 

0 Karma

marnall
Motivator

Perhaps you could try remaking the sc4s using the official guide. It may take less time than trying to debug the current instance.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...