Two symptoms have been happening for some time and none of us know why or how this happened. The 2 symptoms are the following:
Disable | Enable Receiving Port 9997 (although we can all toggle receiving port 9998
These are disturbing symptoms and I have been weeks on a support ticket to try to figure this out. It makes everything suspect because If we do something in the console and permissions are not propagating or we install an app and it doesn’t install properly, then there are bigger problems that propagate because of this.
We have already verified that we are in the Splunk AD groups for admin that we set up and also that that group has local admin rights on the server.
Fixing these 2 issues and understanding what caused it will go a long way trusting that things are right in our instance again.
There is nothing that is very telling in the logs (they are all on Warn level).
Have any of you heard of these symptoms happening or have experience with this.
What could be happening and what is a good course for hunting down the root cause?
I have created recently several support tickets that (in my opinion) could be related to user/use-rules that gave me this impression. But might be also related to our recent migration from 2012 R2 to Windows 2019 server. No final conclusion to be made. But I never had this kind of issues before while upgrading to a newer version. Although user/user-roles are always a mystery for me.
So, i can not produce a direct reference to a post earlier. I have the feeling, ie based on the "what is new" info, that some (major security changes under the hood) - unknow or unnoticed by me- and legacy configs of earlier version etc, might be the cause of this.
ie @ v.806 that using the "sendemail" function needs to have explicit the "admin_all-Object" activated. What the impact is I really have a no clue, neither for me as admin or our other regular users with standard user-role.
logging in as admin, selecting "Analytics" and receiving the message: "You do not have permissions to access objects of user=admin’ makes me a kind of nervous not sure my instance is working correctly
And leaves me a bit confused and uncertain related to overall user security. Nb. I f you want further info about this or my recent tickets please send me a private note, because I might be wrong altogether. And thanks for your response 🙂
kind regards Ashley Pietersen
Same here, I am struggling since version 8.0.5x / and a migration to w2019 server. I have problems that seems to be related (i Tink) with user & roles and permission. I am now on version 8.0.6 which was mentioned this problem as been addressed/solved, but is still happening ??
kind regards AP
Thank you for responding to this. Can you please post a link that references that this is a known issue? I have not found that. Also support reps did not seem aware of this when on calls related to this issue.
I've seen this before, the issue was that there was some configuration in system/local/restmap.conf, Something like this:
requireAuthentication = false
requireAuthentication = false
We removed the configuration and it worked.
I will certainly try an let you know.
As earlier said in my earlier support tickets, yes we migrated to a Windows 2019, last year, as was a Splunk mandatory (before w2012)R2 , I build a fresh test Splunk instance with same Win2019 server, but still have the same issues as our production instance.
let you know
update from splunk support:
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.
Let me know if it worked for you.
unfortunately no success yet