Getting this message "File Integrity checks found files that did not match the system-provided manifest. See splunkd.log for details."
Anyone seen this before? Any idea what it's about?
Seeing this in the splunkd.log:
09-24-2016 11:12:26.554 -0400 WARN InstalledFilesHashChecker - An installed file="/opt/splunk/etc/log.cfg" did not pass hash-checking due to reason="content mismatch"
I'm using log-local.cfg so I'm wondering what I messed up here.
Using Splunk 6.5 (clustered environment) here and also getting the messages.
At https://[your_splunk]:8089/services/server/status//installed-file-integrity you can find an overview of the files that did not match the system-provided manifest.
Looks like default files that were changed.
I received this error after following another thread that stated you uninstall apps by disabling them, removing the folders from ./etc/apps and then restarting. Any idea how to fix this?
@adepasquale - The message means that files that come with Splunk (listed in the manifest file) were changed after install. This might mean you removed a required app like the launcher or search app. Tread carefully there and make you everything in a base install exists. Alternatively, use the answers listed in this post to hide the messages and/or learn how to learn what files were changed.
./splunk validate files
Yes! In fact, we just had the docs team include this banner message's text in our docs. So hopefully anyone else running into this will more easily find the docs in an internet search:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles#...
I don't think we posted this on here yet, but here's some background: http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles
A peer of mine, Justin, showed me that limits.conf has a setting, installed_files_integrity
, that controls if the integrity items are exposed to the UI, splunkd.log, or not at all. I consider this a win!
getting this too... I'm trying to clear any non-INFO issues logged in splunkd.log. Also trying to document things in my deployment by adding to README files (and commenting in other conf files) -- which of course changes the hash and triggers this WARNing. Most annoying...
Wish there was a way to update the hashes for the "InstalledFilesHashChecker" hash table...
6.5, cluster, deployment server, etc...
BTW, Luke, the link you provided is for file monitoring, this is not that. This is a hash check at startup to compare existing files to a manifest of ones originally installed.
That's a great example. I think in mine, it's just the meta files. Both shouldn't be so dramatic IMO. If you open a case on this, ask support to link to SPL-133233.
Using Splunk 6.5 (clustered environment) here and also getting the messages.
At https://[your_splunk]:8089/services/server/status//installed-file-integrity you can find an overview of the files that did not match the system-provided manifest.
Looks like default files that were changed.
You can also use this CLI command to see which files were changed (if you have back-end access)
./splunk validate files
Lol. Look below and you'll spot that @vskoryk shared that time as well back in March. BUT, good idea to have it in here as part of the accepted answer since that's where folks will look.
Me too! I (changed the metadata file to promote/share view but it was no more usefull anyway). Thanx.
I get following the above url "404: Page not found". I don't have any "installed-file-integrity" page
Sounds like you might have gone to the wrong URI or port. Wanna past the URL here?
Your info helped me out too 🙂
Great catch! Root cause was some stuff I was screwing around with in regards to the introspection_generator_addon
and user-prefs
which were blowing away the default config. So, this is all my fault but thanks for catching the endpoint which exposed the root cause!
How did you revert back to the old settings. I have no clue what has changed in my default outputs.conf
If you edited a setting within the default folder (something you should never do) simply do an upgrade or refer to the spec file where many of the defaults are outlined in the setting's description: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
What version of Splunk are you using?
You can read about file system monitoring here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Monitorchangestoyourfilesystem
This actually isn't the FIM feature. Looks like something else but I'm checking if it's just a bug.