After upgrading to Splunk 6.5.1 we began receiving an error message in the GUI stating "File Integrity checks found 1 files that did not match the system-provided manifest. See splunkd.log for details." After doing some digging it turned out to be the file "/opt/splunk/share/GeoLite2-City.mmdb" This is the Maxmind free GeoLite2 city database file that is used in conjunction with the iplookup command.
We actually update this file monthly with each new release of the GeoLite2-City.mmdb file. I'm guessing that since this file ships with Splunk it's being checked against the file manifest and is failing the integrity check due to a checksum mismatch.
Is there any way to exclude a file from this integrity check?
Looking at the docs regarding the integrity check and Health Monitoring console I couldn't find anything regarding exclusion of files.
I having the same issue, after updating the GeoLite2-city.mmdb file, I receive file Integrity Error in Splunk.
I solve the issue using HashTool from DigitalVolcano Software, I retrieve the SHA-256 hash from the new GeoLite2-City.mmdb file, then I've modify the manifest by replacing the old Hash with the new Hash.
Now no more file integrity error. I suppose each time we update the MMDB file this procedure will be require.
The file-integrity checks are accomplished by comparing the names, metadata, and checksums of every file that exists in the
$SPLUNK_HOME/../splunk-<version>-<FooBarBlahJunk>-<platform>-manifest file for your installed Splunk version against files in
$SPLUNK_HOME. You really should only have 1 manifest file in the
$SPLUNK_HOME/.. directory, but you probably have many.
So find the manifest file that matches the version of Splunk that is installed and find the line that matches the file that you are updating and completely remove this line from the manifest file. Your errors will be gone forever (or until the next upgrade, which will give you a new manifest file).
no you cannot excplude a single file from integrity check, you can exclude only a full index.
I was speaking more along the lines of the Splunk "file integrity" that it does at startup. It checks all native/installed Splunk files against the manifest located in /opt/splunk. The manifest is a list of all Splunk files with their associated hash.
I'm going to try and remove the line item for GeoLite2-City.mmdb in the manifest file on one of my development boxes and see if Splunk complains.