Solved: Re: Splunk Universal Forwarder not starting after ...

anh_nguyen · ‎10-11-2023

I've tried to enable boot-start on *nix and Windows, but after the machine reboots, Splunk Forwarder still cannot start automatically. Can anyone have solutions for this case?

isoutamo · ‎10-16-2023

Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you must resolve the reason why it's here and remove it. Probably you have some hardening etc. on your system which cause this?

View solution in original post

richgalloway · ‎10-12-2023

Please tell us more. Were you successful at enabling boot-start? What command did you use? Did you do so as root? What errors are reported when the UF tries to start automatically?

---
If this reply helps you, Karma would be appreciated.

anh_nguyen · ‎10-12-2023

For Ubuntu: I used the command

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start

But when i rebooted the machine, I check the status of splunk forwader by using command ./splunk status. It returned "splunkd is not running".

For Windows: according to Splunk document, Splunk will run automatically after startup. But after restarting the machine, i checked in the Task Manager, the SplunkForwarder was not running.

isoutamo · ‎10-13-2023

Hi

When you have run that command have you gotten any error/warnigs?

Have you try this?

sudo -uroot bash
$SPLUNK_HOME/bin/splunk enable boot-start -user splunk -systemd-managed 1

In current linux versions it's usually better to run splunk under systemd than old init.

But if you still want to use init then you must also update those startup scripts as this instructions said https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/ConfigureSplunktostartatboottime

r. Ismo

anh_nguyen · ‎10-16-2023

I've tried the commands you suggested. But it still not work yet.

isoutamo · ‎10-16-2023

Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you must resolve the reason why it's here and remove it. Probably you have some hardening etc. on your system which cause this?

anh_nguyen · ‎10-25-2023

Finally, it works! Thank you very much.

SinghK · ‎10-13-2023

and for Ubuntu when you try to start it manually does it start or gives the same errors?

anh_nguyen · ‎10-16-2023

when I try to start splunk by command "./splunk start", it starts normally

SinghK · ‎10-13-2023

for windows the service status should be set to automatic for it to start on boot.

Splunk Universal Forwarder not starting after rebooting

administration

troubleshooting

using Splunk Enterprise

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases