Hi,
Is Splunk Enterprise shipped with a JRE? IT contains a lot of JARs..
Did not find a typical JRE though.
If yes do I find the exact version? How often does Splunk update it?
If no, why all the JARs?
When looking under var/run/searchpeers I see references from the splunk archiver to OpenJDK8U but only directories, no binaries.
thx
afx
Splunk definitely did ship OpenJDK in 8.0.4.1, just download the RPM and check.
It is gone in 8.1.1.
That's why I had those artifacts and the reports from our compliance team.
Splunk definitely did ship OpenJDK in 8.0.4.1, just download the RPM and check.
It is gone in 8.1.1.
That's why I had those artifacts and the reports from our compliance team.
Hi, Splunk does not ship with a JRE or JDK. My understanding is that the jars have recently been included to support multiple functions, Hadoop being one of the main functions, however without a JRE they cannot be run using an out of the box installation. As a second reason why there isn't one included - Splunk can't include a JRE as that would violate the license terms of all of the JRE/JDK providers that are supported.
Then please explain the OpenJDK artefacts from splunk_archiver under var/run. They make no sense for stuff that is just kept in case it is needed.
Our compliance team found the following executable at some time:
/splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/bin/java
Right now it is gone. Only the directory up to /splunk/var/run/searchpeers/splunkds-1608544850/apps/splunk_archiver/java-bin/jars/ still exists, the bin subdirectory is gone right now.
Splunk does NOT ship with .jar files and it does not ship with a JRE. Where are you finding them? My guess is they came with an app installed separately. For example, Splunk DB Connect includes a few JARs, but also requires separate installation of a JDK (not a JRE).
Got to /splunk/bin and check the jars directory.
Then go to /splunk/apps/splunk_archiver and check there.
Or grep for jar in the manifest.
All shipped with Splunk.
My Windows Splunk instance (8.1) does not have a splunk/bin/jars directory. I don't have the splunk_archiver app, either.
My Linux instance has both of those.
Splunk still does not ship with a JRE or JDK.
Even more puzzling then isn't it?
Add the artifacts viewable under var/run it becomes a real mystery.
This all popped up because our compliance guys ran scans for java runtimes and found them on my splunk servers but they seem to show up only temporarily.
My current assumption is that they are unpacked from some place in Splunk at runtime.
The core Splunk Enterprise functionality does not use OpenJDK but included the jar to support DFS. If you do not use DFS, the Splunk Enterprise application does not use or load OpenJDK, and the jar does not pose a security risk to your instance.
Splunk Enterprise removed OpenJDK in 8.1.0 and later. See https://docs.splunk.com/Documentation/DFS/latest/DFS/InstallationChecklist for more info. However, updating from older versions does not remove it. If you do not use DFS or do not plan to use DFS, regardless of your Splunk version, feel free to delete the file folder in SPLUNK_HOME/bin/jars or SPLUNK_HOME/bin/jars/vendors/java.
The jars files in SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars propagates from SPLUNK_HOME/bin/jars. In the background and on running the command |archivebuckets forcerun=1, splunkd copies all jar files from /bin/jars to splunk_archiver. However, splunk_archiver does not use OpenJDK and the jar does not pose a threat to your instance. Deleting the file from the main folder and restarting Splunk should delete it from splunk_archiver. Running |archivebuckets forcerun=1 forces the operation.
If your environment uses DFS, you can manually update/replace OpenJDK with a newer version. Keep in mind, DFS EOLs in October 2021.