Monitoring Splunk

splunkd service 7.1.1 on Windows 10 RS4 x64 keeps stopping

emcclure
Explorer

Hello,

I'm new to splunk so please bear with me. I have just installed the forwarder service on a Windows 10 RS4 x64 image. It appears after a couple minutes that the service just stops. I then get an error that you see here: answers.splunk.com/answers/609072/i-am-not-able-to-run-splunkkd-service-on-windows10.html and here answers.splunk.com/answers/301878/has-anyone-come-across-the-error-the-splunkforward.html. I have found the log and here are the errors I get:

ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" Method invocation failed because [System.Management.Automation.PowerShellAsyncResult] does not contain a method named
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" 'Close'.
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" At C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1:280 char:1
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" + $psDisposer.runspace.Close()
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" + CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" + FullyQualifiedErrorId : MethodNotFound
06-29-2018 14:13:37.135 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe""

06-29-2018 14:13:37.775 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\SA-ModularInput-PowerShell\bin\healthlog.bat"" ^C

I didn't see a python folder as mentioned in the first link above and since it didn't say what was deleted I'm not going to attempt anything like that. I have tried to reinstall the service, but I get the same issue. Afaik we have it installed on other machines, I'm not sure about Win 10 RS4 but I'd like to think so.

The plan is to have this installed on a template that would be cloned by users and then everything would report to the splunk server. However I don't know if that's possible, if I need to install it again as the splunk forwarder was installed on the template when I cloned it, so I don't know if that caused a problem or not. I'd also like to know if the splunk forwarder sends data to the splunk server even if nobody is logged onto the machine, or if someone was to create one from the template but not login to it for some time. Any and all help is appreciated. Thanks in advance.

jacobpevans
Motivator

Great write-up @emcclure.

We are seeing the exact same splunk-powershell errors only on our Windows 10 and Windows Server 2016, although the forwarders do NOT crash like they do for you. Most of our affected servers do not have a - in the computer name, so I think this question actually has two different issues.

Versions:

  • Splunk: 7.2.4
  • Windows TA 6.0.0 (although there have been almost no changes from 6 to 8.0.0)

These are the two important lines in your log (mine too):

At C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1:280 char:1
$psDisposer.runspace.Close()
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

emcclure
Explorer

So to update some findings here:

If I install splunk universalforwarder 7.1.2 on a machine that's either splunktest or splunk-test and it's reporting to a splunk server that's 7.1.1 it will install, but the service will stop running.

If I try to name the machine with an _ somewhere, say splunk_test Windows doesn't like it as it's a non-standard character. If I try a . it fails and tells me I can only use letters, numbers or hyphens, but hyphens seem to cause an issue.

The machine that has VSE on it is still running strong, service hasn't been killed yet.

So have I found a bug with the hyphen in the name? Is that fixed in 7.1.2, but I'll need the reporting server to be upgraded first?

0 Karma

emcclure
Explorer

Well so what I've noticed so far is if the machine name has a - anywhere in it it fails, even though from what I can tell this shouldn't be the case. If I create a machine called splunktest then splunk universalforwarder installs just fine and the service continues to run w/o issue. If I create a machine called splunk-test the install completes, however the service will stop after a minute. If I then rename that machine to sptest then the service stays up. If I create a machine called -PC the install will not complete and give me this error: ERROR: serverName must start with a letter, number, or underscore. You have: -PC.

The last one I find odd. It tells me what I can't have as the first character which is ok, but even if I have that - elsewhere I still have problems. I'll have to confirm if I still have this problem with 7.1.2. I think the server it reports to is 7.1.1, so I'm not sure if that would create an additional problem or not.

Another issue I found is if you have the Windows firewall running with the default settings it will cause the splunk forwarder service to not work properly.

I have also installed McAfee VSE 8.8 Patch 11 for this Windows 10 RS4 image. I found this link: https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivir... and entered that info in as well to see if the service will stop or not. So far after the install and configuring VSE the service continues to run and is reporting to the splunk server. However I'm going to reboot and see if it still comes up. So far so good. I am going to see what happens for a bit and then update this post, I will also install 7.1.2 on a couple machines to see if I get the same results or not.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.