Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

workaround for "unable to write 'random state'" when installing?

JeToJedno
Explorer
‎04-27-2017 05:20 AM

When installing latest version on Linux, with a splunk OS user set (SPLUNK_OS_USER=splunk) in etc/splunk-launch.conf, I get "unable to write 'random state'" when it's generating the keys. This means the ssh keys have been generated with inadequate randomisation.

Is there a workaround?

Tags (1)
Reply

dslife_splunk
Splunk Employee
Splunk Employee
‎04-29-2017 01:16 PM

What's happening is OpenSSL is trying to create/modify ~splunk/.rnd and can't.

To resolve, check /etc/passwd to see where the system thinks the home directory, and then make sure it exists with the correct permissions. In theory you could set splunk's home directory to your install location, but there may or may not be security implications of having the .rnd in $SPLUNK_HOME.

I'm still working on grocking the full Splunk security model, but I'm sure the ultimate solution is to not user the self signed certificates and install real certificates.

Reply

jkat54
SplunkTrust
SplunkTrust
‎09-14-2018 09:35 AM

In practice, the most common reason for this happening seems to be that the .rnd file in your home directory is owned by root rather than your account.

Easiest solution:
As Splunk user

sudo rm ~/.rnd

~/ is equivalent of "the current users home directory" which as @dslife suggested, is also shown in /etc/passwd.

grep splunk /etc/passwd

The splunk users home directory is typically one of the following:

/home/splunk
/opt/splunk
/opt/splunkforwarder
/applications/splunk
/applications/splunkforwarder

Therefore you could delete the .rnd file like this:

rm /home/splunk/.rnd

Or you could change ownership of it like this:

chown -f splunk. /home/splunk/.rnd
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...