Problem with indexer discovery on AIX using Univer...

las · ‎05-21-2021

Hi.

I would like to know if anybode else had this issue.

We upgraded our UF on AIX to 8.1.3 from 8.0.4, following the guidelines from Splunk.

We have set outputs.conf to use indexer discovery.

After the upgrade we saw these message:

ERROR IndexerDiscoveryHeartbeatThread - Error in Indexer Discovery communication. Verify that the pass4SymmKey set under [indexer_discovery:prod] in 'outputs.conf' matches the same setting under [indexer_discovery] in 'server.conf' on the Cluster Master. [uri=https://xxxx:8089/services/indexer_discovery http_code=502 http_response="OK"]

The pass4SymmKey has not changed during the upgrade.

We changed the configuration to bypass indexer discovery, and that got data flowing into the system again.

Kind regards

Lars Søndergaard

isoutamo · ‎05-24-2021

Is your CM already at least level 8.1.3?
How you did your UF upgrade (just upgrade or remove/install)?
r. Ismo

las · ‎05-25-2021

Hi.

Yes, the CM was upgraded to 8.1.3 prior to the upgrade of the UFs. It was just an upgrade, so no remove.

kind regards

Lars

isoutamo · ‎05-25-2021

Have you try to update pass4SymmKey already? Even it has worked earlier there could be happened something which has corrupted it or change splunk.secret on UF.

las · ‎06-03-2021

Yes, I did try to update the pass4SymmKey, that didn't work.

It seems this problem is only on the AIX part, we have succesfully upgraded both Linux and Windows so it is not a general bug.

Kind regards

las

isoutamo · ‎06-03-2021

Probably you should raise a ticket to splunk support.

Problem with indexer discovery on AIX using Universal Forwarder 8.1.3

upgrade

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest