Monitoring Splunk

How to resolve messages about 'File Integrity checks' for Splunk files

sloshburch
Splunk Employee
Splunk Employee

Getting this message "File Integrity checks found files that did not match the system-provided manifest. See splunkd.log for details."
alt text

Anyone seen this before? Any idea what it's about?

Seeing this in the splunkd.log:

09-24-2016 11:12:26.554 -0400 WARN  InstalledFilesHashChecker - An installed file="/opt/splunk/etc/log.cfg" did not pass hash-checking due to reason="content mismatch"

I'm using log-local.cfg so I'm wondering what I messed up here.

1 Solution

sanderdenheijer
Explorer

Using Splunk 6.5 (clustered environment) here and also getting the messages.

At https://[your_splunk]:8089/services/server/status//installed-file-integrity you can find an overview of the files that did not match the system-provided manifest.

Looks like default files that were changed.

View solution in original post

adepasquale
Path Finder

I received this error after following another thread that stated you uninstall apps by disabling them, removing the folders from ./etc/apps and then restarting. Any idea how to fix this?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

@adepasquale - The message means that files that come with Splunk (listed in the manifest file) were changed after install. This might mean you removed a required app like the launcher or search app. Tread carefully there and make you everything in a base install exists. Alternatively, use the answers listed in this post to hide the messages and/or learn how to learn what files were changed.

0 Karma

vskoryk_splunk
Splunk Employee
Splunk Employee

./splunk validate files

sloshburch
Splunk Employee
Splunk Employee

Yes! In fact, we just had the docs team include this banner message's text in our docs. So hopefully anyone else running into this will more easily find the docs in an internet search:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles#...

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I don't think we posted this on here yet, but here's some background: http://docs.splunk.com/Documentation/Splunk/latest/Admin/ChecktheintegrityofyourSplunksoftwarefiles

0 Karma

sloshburch
Splunk Employee
Splunk Employee

A peer of mine, Justin, showed me that limits.conf has a setting, installed_files_integrity, that controls if the integrity items are exposed to the UI, splunkd.log, or not at all. I consider this a win!

Michael
Contributor

getting this too... I'm trying to clear any non-INFO issues logged in splunkd.log. Also trying to document things in my deployment by adding to README files (and commenting in other conf files) -- which of course changes the hash and triggers this WARNing. Most annoying...

Wish there was a way to update the hashes for the "InstalledFilesHashChecker" hash table...

6.5, cluster, deployment server, etc...

BTW, Luke, the link you provided is for file monitoring, this is not that. This is a hash check at startup to compare existing files to a manifest of ones originally installed.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

That's a great example. I think in mine, it's just the meta files. Both shouldn't be so dramatic IMO. If you open a case on this, ask support to link to SPL-133233.

0 Karma

sanderdenheijer
Explorer

Using Splunk 6.5 (clustered environment) here and also getting the messages.

At https://[your_splunk]:8089/services/server/status//installed-file-integrity you can find an overview of the files that did not match the system-provided manifest.

Looks like default files that were changed.

pkiripolsky
Path Finder

You can also use this CLI command to see which files were changed (if you have back-end access)
./splunk validate files

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Lol. Look below and you'll spot that @vskoryk shared that time as well back in March. BUT, good idea to have it in here as part of the accepted answer since that's where folks will look.

0 Karma

fab73
Path Finder

Me too! I (changed the metadata file to promote/share view but it was no more usefull anyway). Thanx.

0 Karma

borkborkbork
New Member

I get following the above url "404: Page not found". I don't have any "installed-file-integrity" page

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sounds like you might have gone to the wrong URI or port. Wanna past the URL here?

0 Karma

machiel
Path Finder

Your info helped me out too 🙂

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Great catch! Root cause was some stuff I was screwing around with in regards to the introspection_generator_addon and user-prefs which were blowing away the default config. So, this is all my fault but thanks for catching the endpoint which exposed the root cause!

0 Karma

ashishlal82
Explorer

How did you revert back to the old settings. I have no clue what has changed in my default outputs.conf

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If you edited a setting within the default folder (something you should never do) simply do an upgrade or refer to the spec file where many of the defaults are outlined in the setting's description: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

0 Karma

lukejadamec
Super Champion

What version of Splunk are you using?
You can read about file system monitoring here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Monitorchangestoyourfilesystem

0 Karma

sloshburch
Splunk Employee
Splunk Employee

This actually isn't the FIM feature. Looks like something else but I'm checking if it's just a bug.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...