Splunk Enterprise

Can't get started...

snickered
Path Finder

I've followed the installation instructions for FreeBSD but am not able to start splunk as a non-root user upon boottime.

root@fbsd3:~ # $SPLUNK_HOME/bin/splunk enable boot-start -user splunk
Shared object "libxml2.so.11" not found, required by "splunkd"
Shared object "libxml2.so.11" not found, required by "splunkd"
Shared object "libxml2.so.11" not found, required by "splunkd"
Did not find "disabled" setting of "kvstore" stanza in server bundle.
Can't create RC file "/etc/rc.d/splunk": Permission denied
root@fbsd3:~ # su - splunk
splunk@fbsd3:~ % $SPLUNK_HOME/bin/splunk enable boot-start -user splunk
Can't create RC file "/etc/rc.d/splunk": Permission denied

But I'm able to run splunk fine as the user splunk:

splunk@fbsd3:~ % /opt/splunk/bin/splunk start

Splunk Like an F-18, bro.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Done

Waiting for web server at http://127.0.0.1:8000 to be available. Done

If you get stuck, we're here to help.

Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://fbsd3.domain.local:8000

0 Karma
1 Solution

snickered
Path Finder

Alright, so it looks like there was something wrong with my rc script. Here's a patch for FreeBSD-current users. I got the answer from here: http://lists.freebsd.org/pipermail/freebsd-current/2012-January/031246.html. Sorry for the (non)formatting, I can't ever get the pre tags to work on this forum.

root@fbsd3:~ # diff -u /etc/rc.d/splunk.orig /etc/rc.d/splunk
--- /etc/rc.d/splunk.orig       2014-11-07 17:21:12.000000000 -0600
+++ /etc/rc.d/splunk    2014-11-08 09:24:36.000000000 -0600
@@ -12,7 +12,7 @@

 name=splunk
 extra_commands="status"
-rcvar=`set_rcvar`
+rcvar=splunk_enable
 eval "${rcvar}=\${${rcvar}:-'NO'}"

 splunk_start()
root@fbsd3:~ # 

After a reboot all is good and splunkd is running as my splunk user. 🙂

View solution in original post

0 Karma

snickered
Path Finder

Alright, so it looks like there was something wrong with my rc script. Here's a patch for FreeBSD-current users. I got the answer from here: http://lists.freebsd.org/pipermail/freebsd-current/2012-January/031246.html. Sorry for the (non)formatting, I can't ever get the pre tags to work on this forum.

root@fbsd3:~ # diff -u /etc/rc.d/splunk.orig /etc/rc.d/splunk
--- /etc/rc.d/splunk.orig       2014-11-07 17:21:12.000000000 -0600
+++ /etc/rc.d/splunk    2014-11-08 09:24:36.000000000 -0600
@@ -12,7 +12,7 @@

 name=splunk
 extra_commands="status"
-rcvar=`set_rcvar`
+rcvar=splunk_enable
 eval "${rcvar}=\${${rcvar}:-'NO'}"

 splunk_start()
root@fbsd3:~ # 

After a reboot all is good and splunkd is running as my splunk user. 🙂

0 Karma

snickered
Path Finder

I'm pretty sure it was a permissions problem. Originally I tried this guide: http://wiki.splunk.com/Deploy:EnsuringSplunkRunsAsNonRootUser and it didn't workout too well. I started over and used the guide here: http://docs.splunk.com/Documentation/Splunk/latest/installation/RunSplunkasadifferentornon-rootuser#.... That worked out well and everything seems to be fine with the exception of "boot-start" (http://docs.splunk.com/Documentation/Splunk/latest/admin/ConfigureSplunktostartatboottime#Enable_boo...) not working. I'm going to start a new thread for that if I can't figure it out pretty soon.

0 Karma

frmaasdam
Path Finder

Check the ownerships of ALL your Splunk files.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...