Splunk Search
Highlighted

Can you exclude specific files from the Splunk file validation?

Path Finder

After upgrading to Splunk 6.5.1 we began receiving an error message in the GUI stating "File Integrity checks found 1 files that did not match the system-provided manifest. See splunkd.log for details." After doing some digging it turned out to be the file "/opt/splunk/share/GeoLite2-City.mmdb" This is the Maxmind free GeoLite2 city database file that is used in conjunction with the iplookup command.

We actually update this file monthly with each new release of the GeoLite2-City.mmdb file. I'm guessing that since this file ships with Splunk it's being checked against the file manifest and is failing the integrity check due to a checksum mismatch.

Is there any way to exclude a file from this integrity check?

Looking at the docs regarding the integrity check and Health Monitoring console I couldn't find anything regarding exclusion of files.

docs.splunk.com/Documentation/Splunk/6.5.1/Admin/ChecktheintegrityofyourSplunksoftwarefiles
docs.splunk.com/Documentation/Splunk/6.5.1/DMC/Customizehealthcheck

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Legend

Hi RJ_Grayson,
no you cannot excplude a single file from integrity check, you can exclude only a full index.
See http://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Dataintegritycontrol
Bye.
Giuseppe

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Path Finder

I was speaking more along the lines of the Splunk "file integrity" that it does at startup. It checks all native/installed Splunk files against the manifest located in /opt/splunk. The manifest is a list of all Splunk files with their associated hash.

I'm going to try and remove the line item for GeoLite2-City.mmdb in the manifest file on one of my development boxes and see if Splunk complains.

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Legend

Ok sorry.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Contributor

How did that go?

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Esteemed Legend

The file-integrity checks are accomplished by comparing the names, metadata, and checksums of every file that exists in the $SPLUNK_HOME/../splunk-<version>-<FooBarBlahJunk>-<platform>-manifest file for your installed Splunk version against files in $SPLUNK_HOME. You really should only have 1 manifest file in the $SPLUNK_HOME/.. directory, but you probably have many.

So find the manifest file that matches the version of Splunk that is installed and find the line that matches the file that you are updating and completely remove this line from the manifest file. Your errors will be gone forever (or until the next upgrade, which will give you a new manifest file).

Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Esteemed Legend

Did you try this? Did it work?

Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Path Finder

Cheers Woodcock works for me.

0 Karma
Highlighted

Re: Can you exclude specific files from the Splunk file validation?

Path Finder

Hi,
I having the same issue, after updating the GeoLite2-city.mmdb file, I receive file Integrity Error in Splunk.

I solve the issue using HashTool from DigitalVolcano Software, I retrieve the SHA-256 hash from the new GeoLite2-City.mmdb file, then I've modify the manifest by replacing the old Hash with the new Hash.
Restart Splunk
Now no more file integrity error. I suppose each time we update the MMDB file this procedure will be require.

Guillaume

Re: Can you exclude specific files from the Splunk file validation?

Path Finder

We had the same problem. You can either delete the entry in the manifest file or give it the hash of the updated file.

0 Karma