Re: Change "License group" to "Free License"

MYHOP · ‎09-01-2022

I downloaded splunk-9.0.1-82c987350fde-linux-2.6-x86_64.rpm and installed it on a fresh centos7 VM. Then I ran the following commands:

# yum install centos-release-scl

# yum install rh-postgresql96-postgresql-libs devtoolset-9 devtoolset-9-gcc openssl-devel net-tools libffi-devel

After that, I opened tcp ports to allow traffic to pass through the local firewall:

# firewall-cmd --add-port=8000/tcp –permanent

# firewall-cmd --add-port=8089/tcp --permanent

# firewall-cmd –reload

and started the Splunk app by running the following command:

# /opt/splunk/bin/splunk start

Then I changed the “license group” to “free license” and restarted the splunk:

# /opt/splunk/bin/splunk restart

After restart, I made two modifications:

I forced splunk to use phyton3 as by default it uses Python 2:

# Vi /opt/splunk/etc/system/local/server and added the following line to the section titled [general]:

# python.version = force_python3

Then restarted the splunk again:

# /opt/splunk/bin/splunk restart

2. I ran the following command because I needed Splunk to start automatically when the machine booted:

# /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user admin

But I faced the following error:

“splunk is currently ranning, please stop it before ranning enable/disable boot-start”

I stopped the splunk and ran the command for the second time:

# /opt/splunk/bin/splunk stop

# /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user admin

The output was:

“Could not find user admin”

Then I ran just the first part of the command as below.

# /opt/splunk/bin/splunk enable boot-start

The output was:

“Init script installed at /etc/init.d/splunk.”

“Init script is configured to ran at boot.”

I ran the compelete command again:

# /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user admin

The output was:

“Initd script /etc/init.d/splunk exists. splunk is currently enabled as init.d bootstart service.”

I logged out of the VM and logged in via ssh connection as root, but the splunk did not run automatically as I had wished.

I would be grateful if you could help me to solve it.

MYHOP · ‎09-05-2022

Thank you both.

systemctl start splunk.service

👆 it worked for me

richgalloway · ‎09-01-2022

This is not a license problem.

The user specified in the boot-start command must exist in /etc/passwd. The user created by the rpm is 'splunk'. The command

/opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk

probably would have been successful.

The command

/opt/splunk/bin/splunk enable boot-start

was indeed successful, but did something different. It set up Splunk to start under init.d rather than systemd, which seems to be incorrect for your system. To fix it, first disable init.d boot-start

/opt/splunk/bin/splunk disable boot-start

Then re-enable it under systemd

/opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk

---
If this reply helps you, Karma would be appreciated.

MYHOP · ‎09-01-2022

Thanks, Richgalloway for your reply.

I did the modifications you mentioned.

After all, I went to start splunk, but I faced the following error:

Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_assist/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_instrumentation/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_assist/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_instrumentation/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_assist/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_instrumentation/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_assist/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_instrumentation/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini err: Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_assist/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/splunk_instrumentation/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied

Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/site-packages/splunk/clilib/cli.py", line 38, in <module>
import splunk.auth as auth
File "/opt/splunk/lib/python3.7/site-packages/splunk/auth.py", line 9, in <module>
import splunk.entity as en
File "/opt/splunk/lib/python3.7/site-packages/splunk/entity.py", line 12, in <module>
import splunk.rest as rest
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 32, in <module>
import splunk.ssl_context
File "/opt/splunk/lib/python3.7/site-packages/splunk/ssl_context.py", line 35, in <module>
import splunk.mining.dcutils as dcu
File "/opt/splunk/lib/python3.7/site-packages/splunk/mining/dcutils.py", line 84, in <module>
pythonLogHandler = logging.handlers.RotatingFileHandler(filename=os.path.join(os.environ['SPLUNK_HOME'], 'var', 'log', 'splunk', 'python.log'), mode='a', maxBytes=scannedMaxBytes, backupCount=scannedMaxBackupIndex)
File "/opt/splunk/lib/python3.7/logging/handlers.py", line 148, in __init__
BaseRotatingHandler.__init__(self, filename, mode, encoding, delay)
File "/opt/splunk/lib/python3.7/logging/handlers.py", line 55, in __init__
logging.FileHandler.__init__(self, filename, mode, encoding, delay)
File "/opt/splunk/lib/python3.7/logging/__init__.py", line 1087, in __init__
StreamHandler.__init__(self, self._open())
File "/opt/splunk/lib/python3.7/logging/__init__.py", line 1116, in _open
return open(self.baseFilename, self.mode, encoding=self.encoding)
PermissionError: [Errno 13] Permission denied: '/opt/splunk/var/log/splunk/python.log'
Error running pre-start tasks

Do you have any suggestions?

richgalloway · ‎09-01-2022

The files in $SPLUNK_HOME are owned by the wrong account. Use this command to fix it.

sudo chown -R splunk:splunk /opt/splunk

---
If this reply helps you, Karma would be appreciated.

MYHOP · ‎09-02-2022

Thank you. Yes, It worked, but I am still on the same page.

I need Splunk to start automatically when the machine boots.

I ran /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk, but nothing has changed yet.

MYHOP · ‎09-02-2022

It could be helpful:

I stopped splunk, then I ran the following again:

# /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk
Systemd unit file installed at /etc/systemd/system/Splunkd.service.
Configured as systemd managed service.
# /opt/splunk/bin/splunk start

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-9.0.1-82c987350fde-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]
# systemctl status splunkd.service
Unit splunkd.service could not be found. 🙄🤔

richgalloway · ‎09-02-2022

If you use systemd then Splunk should be started using systemctl

systemctl start splunkd.service

Also, verify "splunkd.service" is the correct service name. I've seen various names on systems, including "Splunk", "splunk", and "splunkd", but never "splunkd.service" (which doesn't mean it can't be that).

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎09-03-2022

With systemd the type of the unit can be often ommited if it's ".service".

So

systemctl start splunkd

is in fact just a shorthand for

systemctl start splunkd.service

How to change "License group" to "Free License"?

license

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?