Re: Can you exclude specific files from the Splunk...

RJ_Grayson · ‎01-26-2017

After upgrading to Splunk 6.5.1 we began receiving an error message in the GUI stating "File Integrity checks found 1 files that did not match the system-provided manifest. See splunkd.log for details." After doing some digging it turned out to be the file "/opt/splunk/share/GeoLite2-City.mmdb" This is the Maxmind free GeoLite2 city database file that is used in conjunction with the iplookup command.

We actually update this file monthly with each new release of the GeoLite2-City.mmdb file. I'm guessing that since this file ships with Splunk it's being checked against the file manifest and is failing the integrity check due to a checksum mismatch.

Is there any way to exclude a file from this integrity check?

Looking at the docs regarding the integrity check and Health Monitoring console I couldn't find anything regarding exclusion of files.

docs.splunk.com/Documentation/Splunk/6.5.1/Admin/ChecktheintegrityofyourSplunksoftwarefiles
docs.splunk.com/Documentation/Splunk/6.5.1/DMC/Customizehealthcheck

gpareesi11 · ‎06-21-2017

Hi,
I having the same issue, after updating the GeoLite2-city.mmdb file, I receive file Integrity Error in Splunk.

I solve the issue using HashTool from DigitalVolcano Software, I retrieve the SHA-256 hash from the new GeoLite2-City.mmdb file, then I've modify the manifest by replacing the old Hash with the new Hash.
Restart Splunk
Now no more file integrity error. I suppose each time we update the MMDB file this procedure will be require.

Guillaume

jmantor · ‎07-20-2018

We had the same problem. You can either delete the entry in the manifest file or give it the hash of the updated file.

woodcock · ‎03-04-2017

The file-integrity checks are accomplished by comparing the names, metadata, and checksums of every file that exists in the $SPLUNK_HOME/../splunk-<version>-<FooBarBlahJunk>-<platform>-manifest file for your installed Splunk version against files in $SPLUNK_HOME. You really should only have 1 manifest file in the $SPLUNK_HOME/.. directory, but you probably have many.

So find the manifest file that matches the version of Splunk that is installed and find the line that matches the file that you are updating and completely remove this line from the manifest file. Your errors will be gone forever (or until the next upgrade, which will give you a new manifest file).

lukessi · ‎07-15-2020

Cheers Woodcock works for me.

woodcock · ‎03-27-2017

Did you try this? Did it work?

gcusello · ‎01-26-2017

Hi RJ_Grayson,
no you cannot excplude a single file from integrity check, you can exclude only a full index.
See http://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Dataintegritycontrol
Bye.
Giuseppe

RJ_Grayson · ‎01-27-2017

I was speaking more along the lines of the Splunk "file integrity" that it does at startup. It checks all native/installed Splunk files against the manifest located in /opt/splunk. The manifest is a list of all Splunk files with their associated hash.

I'm going to try and remove the line item for GeoLite2-City.mmdb in the manifest file on one of my development boxes and see if Splunk complains.

mrgibbon · ‎03-26-2017

How did that go?

gcusello · ‎01-27-2017

Ok sorry.
Bye.
Giuseppe

Can you exclude specific files from the Splunk file validation?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation