We are using scripted authentication in Splunk using credentials of a central system. This works fine for 4 users out of 5 who have same role, same privileges and same index assigned.
However for one user, splunk web throws *500 Internal Server Error *. After enabling the debug, the scripted authentication is 'successful' including all three functions ie; userLogin,getUserInfo,getUsers. However, once its submitted to splunkd, it throws the error AdminHandler:AuthenticationHandler - Insufficient permissions to list user:<username>
The user has exactly same privileges as others.
Please share if you have experienced same issue and a possible solution if any.
... View more
We have a cloud foundry set up and wants to forward the logs to splunk as syslog drain. The TCP/UDP input method is not ideal since the restart of the index will cause loss of data.
Moreover, the need for change in inputs.conf will be more often (planning to create the data forwarding on demand basis from different clients) which in turn will cause multiple restart of the indexer as well.
We are running an indexer cluster and a rolling restart is possible but again a load-balancer and a re-configuration of same is needed to communicate to load balancer not to send any data to the indexer which is being restarted. [ load balancer is needed here since there are no forwarders involved]
To have a separate syslong-ng or a forwarder is also not an option since its adding more components and complicating high availability set up
If you have done any HA set up for cloud foundry - splunk integration, please share .
... View more