Security

disable webserver ignored on AIX?

jpdubose
Explorer

We are using SplunkLightForwarder on an AIX box. We don't want port 8000 listening and have no real need for the web interface on the box so we have run "splunk disable webserver" to prevent splunkweb from starting. As such, there is a web.conf file in etc/system/local and it has the proper "startwebserver = 0" line.

This is where it gets kind of strange. On a boot or reboot of the server, splunkweb starts and is listening on port 8000. You can then go to $SPLUNK_HOME/bin and issue a "./splunk restart" command and splunkd and splunkweb stop and then only splunkd is started back up.

Is there something with inittab or somewhere else that splunk starts on machine boot that is still starting splunkweb or is this some kind of bug?

This was the behavior with splunk 3.4 and now with 4.1.2.

Thanks

0 Karma
1 Solution

mitch
Explorer

Yeah, looks like a bug. On AIX, "splunk enable boot-start" adds splunkd and splunkweb to SRC. Unfortunately the way that it does it probably won't respect the "disable webserver" setting because once its in SRC, bin/splunk isn't the one doing the launching and it doesn't get a chance to apply that setting. I'll have to think about how to handle this one.

It should be easy to manually fix on the box if you just do a:

  # rmssys -s splunkweb

to remove splunkweb from SRC

View solution in original post

mitch
Explorer

Yeah, looks like a bug. On AIX, "splunk enable boot-start" adds splunkd and splunkweb to SRC. Unfortunately the way that it does it probably won't respect the "disable webserver" setting because once its in SRC, bin/splunk isn't the one doing the launching and it doesn't get a chance to apply that setting. I'll have to think about how to handle this one.

It should be easy to manually fix on the box if you just do a:

  # rmssys -s splunkweb

to remove splunkweb from SRC

jpdubose
Explorer

The rmssys command did the trick.

So do I get a shirt for finding a bug? 🙂

0 Karma

Mick
Splunk Employee
Splunk Employee

It sounds like there's something in your server's startup prcoess that calls both the splunkd and splunkweb services directly. Perhaps something was configured originally to do this before the SplunkLightForwarder app was enabled?

When you just run the ./splunk start or ./splunk restart commands, it sounds like Splunk itself is doing the right thing, and not starting the splunkweb process, so something else must be calling that service directly. What have you got configured to start Splunk automatically when the server boots?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This sounds like a nonstandard part of the Splunk on AIX install. Splunk by default does not register itself with SRC, and would not be startable using startsrc. If you can, please post the output of the command (run as root):

odmget -q grpname=splunk SRCsubsys

0 Karma

jpdubose
Explorer

It looks like Splunk is started in the inittab through the following line:

splunk:2:once:/usr/bin/startsrc -g splunk > /dev/console 2>$1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...