Security

disable webserver ignored on AIX?

jpdubose
Explorer

We are using SplunkLightForwarder on an AIX box. We don't want port 8000 listening and have no real need for the web interface on the box so we have run "splunk disable webserver" to prevent splunkweb from starting. As such, there is a web.conf file in etc/system/local and it has the proper "startwebserver = 0" line.

This is where it gets kind of strange. On a boot or reboot of the server, splunkweb starts and is listening on port 8000. You can then go to $SPLUNK_HOME/bin and issue a "./splunk restart" command and splunkd and splunkweb stop and then only splunkd is started back up.

Is there something with inittab or somewhere else that splunk starts on machine boot that is still starting splunkweb or is this some kind of bug?

This was the behavior with splunk 3.4 and now with 4.1.2.

Thanks

0 Karma
1 Solution

mitch
Explorer

Yeah, looks like a bug. On AIX, "splunk enable boot-start" adds splunkd and splunkweb to SRC. Unfortunately the way that it does it probably won't respect the "disable webserver" setting because once its in SRC, bin/splunk isn't the one doing the launching and it doesn't get a chance to apply that setting. I'll have to think about how to handle this one.

It should be easy to manually fix on the box if you just do a:

  # rmssys -s splunkweb

to remove splunkweb from SRC

View solution in original post

mitch
Explorer

Yeah, looks like a bug. On AIX, "splunk enable boot-start" adds splunkd and splunkweb to SRC. Unfortunately the way that it does it probably won't respect the "disable webserver" setting because once its in SRC, bin/splunk isn't the one doing the launching and it doesn't get a chance to apply that setting. I'll have to think about how to handle this one.

It should be easy to manually fix on the box if you just do a:

  # rmssys -s splunkweb

to remove splunkweb from SRC

jpdubose
Explorer

The rmssys command did the trick.

So do I get a shirt for finding a bug? 🙂

0 Karma

Mick
Splunk Employee
Splunk Employee

It sounds like there's something in your server's startup prcoess that calls both the splunkd and splunkweb services directly. Perhaps something was configured originally to do this before the SplunkLightForwarder app was enabled?

When you just run the ./splunk start or ./splunk restart commands, it sounds like Splunk itself is doing the right thing, and not starting the splunkweb process, so something else must be calling that service directly. What have you got configured to start Splunk automatically when the server boots?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This sounds like a nonstandard part of the Splunk on AIX install. Splunk by default does not register itself with SRC, and would not be startable using startsrc. If you can, please post the output of the command (run as root):

odmget -q grpname=splunk SRCsubsys

0 Karma

jpdubose
Explorer

It looks like Splunk is started in the inittab through the following line:

splunk:2:once:/usr/bin/startsrc -g splunk > /dev/console 2>$1

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...