Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

File Integrity Check Error in Heavy Forwarder Server

anandhalagaras1
Communicator
‎08-16-2023 09:37 AM

In my Heavy Forwarder server I am seeing this message as below recently in the messages tab. 

File Integrity checks found 114 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. Learn more.

So how can we get it fixed.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2023 05:24 AM

It's best to not touch any app that ships with Splunk.

The HF and DS do not need the app, although it can be used on an HF.  Do not uninstall it.  It is safe to disable it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2023 12:51 PM

The message pretty much says what you need to do.

Login to the HF and open the Search & Reporting app.  Click on the Dashboards tab then select "Integrity Check of Installed Files".  That dashboard will list the files that failed integrity checks.

To fix them:

1) Undo any changes made to the files or restore them from the download file that installed them.

2) NEVER change a file in a 'default' directory.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎08-17-2023 12:04 AM

@richgalloway

Thanks for your response.

Recently we have upgraded the app "Upgrade Readiness App" to the latest version 4.1.1 in the HF server post which i am getting the error message in Splunk.

As you have mentioned I have navigated to the Dashboard section and then I have clicked the "Integrity Check of Installed Files" dashboard and here I can see the file path and results and for all of them it seems to be triggered from Upgrade Readiness App only. Refer below:

So how can we get it fixed.

File path Check result
/opt/splunk/etc/apps/python_upgrade_readiness_app/appserver/static/pages/jquery_scan.js differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/appserver/static/pages/python_scan.js differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting.js differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting_scan.js differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/appserver/static/pages/splunk9x_scan.js differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/bin/eura_app_list.py differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/bin/eura_check_mongodb_tls_dns_validation.py differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/bin/eura_check_python_tls.py differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/bin/eura_check_search_peer_ssl_config.py differs
/opt/splunk/etc/apps/python_upgrade_readiness_app/bin/eura_email_notification_switch_scripted_input.py differs

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2023 05:06 AM

The Upgrade Readiness App ships with Splunk and so should not be upgraded separately.  That Splunk allows it to be upgraded is a mistake, IMO.

You can try downgrading the app or just live with the file integrity warnings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎08-17-2023 05:11 AM

@richgalloway ,

Thank you for the information. 

So is this app  really required to be present in HF and DM server and if its not really needed then  can we uninstall the app?

Or can we disable the app in our HF and DM server.

Which can be a recommended solution here. Please suggest.

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2023 05:24 AM

It's best to not touch any app that ships with Splunk.

The HF and DS do not need the app, although it can be used on an HF.  Do not uninstall it.  It is safe to disable it.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎08-17-2023 05:38 AM

@richgalloway 

Thank you for your valuable inputs.

Much appreciated.

As of now I will disable them in HF and DM servers.

 

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...