Activity Feed
- Posted Re: Valid JSON not being broken up into individual events on Getting Data In. 12-14-2020 03:23 AM
- Posted Valid JSON not being broken up into individual events on Getting Data In. 12-10-2020 01:55 AM
- Posted Stripping syslog-ng headers from Snort/idstools-u2json JSON files on Getting Data In. 11-19-2020 02:21 AM
- Tagged Stripping syslog-ng headers from Snort/idstools-u2json JSON files on Getting Data In. 11-19-2020 02:21 AM
- Tagged Stripping syslog-ng headers from Snort/idstools-u2json JSON files on Getting Data In. 11-19-2020 02:21 AM
- Tagged Stripping syslog-ng headers from Snort/idstools-u2json JSON files on Getting Data In. 11-19-2020 02:21 AM
- Karma Re: Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: for darrenfuller. 06-05-2020 12:51 AM
- Karma Re: forwarder for ARM: /opt/splunkforwarder/bin/splunk: No such file or directory for idsiano. 06-05-2020 12:47 AM
- Posted Re: Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 11:19 AM
- Posted Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Tagged Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Tagged Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Tagged Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Tagged Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Tagged Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: on Getting Data In. 05-06-2020 10:06 AM
- Posted Re: Forwarder tells me there's an "ERROR JsonLineBreaker ... had parsing error:Unexpected character: '5'" - but the error originates in the forwarder's own log? on Getting Data In. 05-06-2020 04:30 AM
- Posted Re: Forwarder tells me there's an "ERROR JsonLineBreaker ... had parsing error:Unexpected character: '5'" - but the error originates in the forwarder's own log? on Getting Data In. 05-06-2020 02:58 AM
- Posted Re: Forwarder tells me there's an "ERROR JsonLineBreaker ... had parsing error:Unexpected character: '5'" - but the error originates in the forwarder's own log? on Getting Data In. 05-05-2020 01:09 AM
- Posted Re: Forwarder tells me there's an "ERROR JsonLineBreaker ... had parsing error:Unexpected character: '5'" - but the error originates in the forwarder's own log? on Getting Data In. 05-04-2020 01:22 PM
- Posted Re: Forwarder tells me there's an "ERROR JsonLineBreaker ... had parsing error:Unexpected character: '5'" - but the error originates in the forwarder's own log? on Getting Data In. 05-04-2020 01:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-14-2020
03:23 AM
Okay. This looks like a bug. There's no way the JSON events should be clumped like this.
... View more
12-10-2020
01:55 AM
I've checked a number of threads about breaking JSON files and I've tried a number of offered solutions and none seem to work. I'm running 8.1.0 and I don't remember seeing this as much of an issue in previous versions. The snort (ids-u2json) JSON is lint-valid as follows: {"type": "event", "event": {"msg": "ET INFO Microsoft Connection Test", "classification": "Potentially Bad Traffic", "sensor-id": 0, "event-id": 581, "event-second": 1607588446, "event-microsecond": 790456, "signature-id": 2031071, "generator-id": 1, "signature-revision": 2, "classification-id": 3, "priority": 2, "sport-itype": 63591, "dport-icode": 80, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "192.168.1.125", "destination-ip": "13.107.4.52"}}
{"type": "event", "event": {"msg": "ET POLICY PE EXE or DLL Windows file download HTTP", "classification": "Potential Corporate Privacy Violation", "sensor-id": 0, "event-id": 582, "event-second": 1607588467, "event-microsecond": 769440, "signature-id": 2018959, "generator-id": 1, "signature-revision": 4, "classification-id": 33, "priority": 1, "sport-itype": 80, "dport-icode": 63676, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "205.185.216.10", "destination-ip": "192.168.1.125"}}
{"type": "event", "event": {"msg": "ET INFO Packed Executable Download", "classification": "Misc activity", "sensor-id": 0, "event-id": 583, "event-second": 1607588467, "event-microsecond": 769340, "signature-id": 2014819, "generator-id": 1, "signature-revision": 1, "classification-id": 29, "priority": 3, "sport-itype": 80, "dport-icode": 63676, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "205.185.216.10", "destination-ip": "192.168.1.125"}} props.conf on the UF is as follows: [sourcetype=json]
KV_MODE=json
AUTO_KV_JSON=true
NO_BINARY_CHECK = true
disabled = false
SHOULD_LINEMERGE = false
TIME_FORMAT = "event-second": %s, "event-microsecond": %6N
LINE_BREAKER = }}(^s) and props.conf on the indexer/search head as follows: [stanza]
TZ = UTC
SHOULD_LINEMERGE = false
[_json]
DATETIME_CONFIG =
LINE_BREAKER = }}
NO_BINARY_CHECK = true
disabled = false
KV_MODE = json
[json_no_timestamp]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false According to what I've told the UF to do in props.conf, the JSON events should be splitting up the JSON events using the double braces LINE_BREAKER }} as follows: {"type": "event", "event": {"msg": "ET INFO Microsoft Connection Test", "classification": "Potentially Bad Traffic", "sensor-id": 0, "event-id": 581, "event-second": 1607588446, "event-microsecond": 790456, "signature-id": 2031071, "generator-id": 1, "signature-revision": 2, "classification-id": 3, "priority": 2, "sport-itype": 63591, "dport-icode": 80, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "192.168.1.125", "destination-ip": "13.107.4.52"}} {"type": "event", "event": {"msg": "ET POLICY PE EXE or DLL Windows file download HTTP", "classification": "Potential Corporate Privacy Violation", "sensor-id": 0, "event-id": 582, "event-second": 1607588467, "event-microsecond": 769440, "signature-id": 2018959, "generator-id": 1, "signature-revision": 4, "classification-id": 33, "priority": 1, "sport-itype": 80, "dport-icode": 63676, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "205.185.216.10", "destination-ip": "192.168.1.125"}} {"type": "event", "event": {"msg": "ET INFO Packed Executable Download", "classification": "Misc activity", "sensor-id": 0, "event-id": 583, "event-second": 1607588467, "event-microsecond": 769340, "signature-id": 2014819, "generator-id": 1, "signature-revision": 1, "classification-id": 29, "priority": 3, "sport-itype": 80, "dport-icode": 63676, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "205.185.216.10", "destination-ip": "192.168.1.125"}} but it doesn't. Instead, the UF clumps them together as a single event and only reports on the first JSON stanza. Nothing I've tried for LINE_BREAKER seems to work - the UF seems to ignore it. Many thanks
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
universal forwarder
11-19-2020
02:21 AM
Hello fellow Splunk community members I've finally got a workable solution for running Snort on my home router, outputting JSON to send across to my Raspberry Pi-homed UF. It works a treat, but for one thing. If you're curious, it's dd-wrt running Entware Snort, processing u2fast logs into JSON with python3-idstools. The Snort JSON output log on the router looks like this: {"msg": "ET POLICY iTunes User Agent", "classification": "Potential Corporate Privacy Violation", "sensor-id": 0, "event-id": 354, "event-second": 1605757495, "event-microsecond": 660579, "signature-id": 2002878, "ge
nerator-id": 1, "signature-revision": 6, "classification-id": 33, "priority": 1, "sport-itype": 57226, "dport-icode": 80, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "192.168.1.25", "destinat
ion-ip": "17.253.35.206"}} It's JSON-lint validated output too so that's a bonus. But then syslog-ng gets it's hands on it. I've delved deep into the balabit syslog-ng administration manual and despite adding all of the relevant syslog-ng.conf attributes to prevent syslog-ng adding its own header, syslog-ng can't seem to help itself! On the router sending the logs to the UF, the syslog-ng.conf looks like this: ** CHOPPED FOR BREVITY **
source s_snort_json {
file("/tmp/alerts.json" follow-freq(1) flags(no-parse));
};
destination d_tcp_splunk_forwarder { network("192.168.1.92" template("${MESSAGE}\n") port(1514)); };
log {
source(s_snort_json);
destination(d_tcp_splunk_forwarder);
}; I've tried using the built in json parser with syslog-ng, but it doesn't really work and simply adds to the problem that I don't really want syslog-ng to fiddle with the JSON at all. I just want to send it to the UF as it is. On the receiving UF system, the log is received using syslog-ng again. The syslog-ng.conf on that box looks like this: ** CHOPPED FOR BREVITY **
source s_network_tcp {
network(
ip("0.0.0.0")
transport("tcp")
port(1514)
flags(no-parse)
);
};
destination d_snort { file("/var/log/snort.json"); };
log { source(s_network_tcp); destination(d_snort); }; Note, the flags(no-parse) and template (which both appear to have no effect) - syslog-ng still adds it's own data! The output now (inexplicably) looks like this in /var/log/snort.json: Nov 19 03:44:56 192.168.1.1 {"type": "event", "event": {"msg": "ET POLICY iTunes User Agent", "classification": "Potential Corporate Privacy Violation", "sensor-id": 0, "event-id": 354, "event-second": 1605757495, "event-microsecond": 660579, "signature-id": 2002878, "ge
nerator-id": 1, "signature-revision": 6, "classification-id": 33, "priority": 1, "sport-itype": 57226, "dport-icode": 80, "protocol": 6, "impact-flag": 0, "impact": 0, "blocked": 0, "mpls-label": null, "vlan-id": null, "pad2": null, "source-ip": "192.168.1.25", "destinat
ion-ip": "17.253.35.206"}} Syslog-ng seems to be like a stubborn child. No matter how carefully you tell it not to do something, it still does exactly what it wants! Props.conf to the rescue here, right? On the UF, my props.conf looks like this: [sourcetype=json]
KV_MODE = json
INDEXED_EXTRACTIONS = json
TIME_PREFIX= \"event-second\"\:
# I've tried SEDCMD-strip_prefix = s/^[^{]+// here too
SEDCMD-strip_prefix = s/^[^{]+//g
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true In Splunk however, the syslog-ng added header remains. I don't have a reliable way of testing the SEDCMD outputs as the Splunk version seems not to be a GNU syntax compatible sed implementation. Does anyone have any suggestions either for the syslog-ng pipeline conf(s) or in the props.conf where I'm going wrong? (I can't use rsyslog on the router BTW - opkg has no package available). Many thanks and all the best
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
universal forwarder
05-06-2020
11:19 AM
You're right, but ewwww, that's expected behaviour?
... View more
05-06-2020
10:06 AM
On a Raspberry Pi 3 armv7l GNU/Linux, INDEXED_EXTRACTIONS=JSON in the props.conf file results in unrecoverable JSON StreamId processing errors:
05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"
05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"
05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"
with the log expanding so quickly, it fills up the /opt/splunkforwarder/var/log/splunk/splunkd.log to maximum logrotate capacity.
Steps to duplicate bug:
Install splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz onto a Raspberry Pi 3.
Edit the /opt/splunkforwarder/etc/system/local/props.conf and add the following code:
[default]
SHOULD_LINEMERGE = false
KV_MODE = none
INDEXED_EXTRACTIONS=JSON
NO_BINARY_CHECK = true
TRUNCATE = 0
Add a local JSON file to the splunk file monitor with $SPLUNKHOME/bin/splunk add monitor /var/log/myvalidjsonfile.json -sourcetype json -host myhost -index myindex
Restart splunk.
Check the file tail -f $SPLUNKHOME/var/log/splunk/splunkd.log
Watch it scroll away off the screen! The errors above are reported for both metrics.log and the splunkd.log itself(!)
Stop splunk.
Edit props.conf again and remove the line INDEXED_EXTRACTIONS=JSON .
Restart splunk.
Your splunkd.log is back to normal again.
... View more
05-06-2020
04:30 AM
Hi @PavelP,
It's done and the problems gone away now.
All the best
** CORRECTION **
It's back, and the bug is repeatable. I've posted details and a bug report here https://answers.splunk.com/answers/822443/raspberry-pi-universal-forwarder-bug-report-for-sp.html
... View more
05-06-2020
02:58 AM
Okay so proposed answer here is re-install the UF.
There's one other user I've seen with this problem @anayar : https://answers.splunk.com/answers/741298/error-jsonlinebreaker.html and no solution available from user community or Splunk. If people aren't checking their UF logs, maybe they wouldn't even spot this. But my splunkd.log files are being logrotated out every 30 seconds so clearly this isn't a sustainable solution to keep it running as it is.
The mystery is how the UF got into this state as there's very little configuration or customisation on mine at all.
Cheers
... View more
05-05-2020
01:09 AM
Hi @PavelP
all lines with "local" indicate the default configuration is being overwritten, it is not common.
On a default configuration, there is no props.conf at all, so there's nothing unusual there I think.
INDEXED_EXTRACTIONS = json is definetely wrong here,
The stanza is not incorrect as it still parses the user-supplied JSON files perfectly (when it's not writing to the splunkd.log every millisecond or so!)
because splunkd logs are not json files.
Correct, they are not. But I did not tell my splunk binary to do that, none of my config files tell it to do that and I suspect the same applies to @anayar : https://answers.splunk.com/answers/741298/error-jsonlinebreaker.html. Besides, the strangest thing isn't that Splunk thinks the splunkd.log is a JSON file, even stranger is that Splunk reports that it's own application log is the source of an error, in the application log!
This is a software bug in Splunk I think, but I doubt the Splunk devs will be interested until more users experience this weird behaviour.
I'm gonna leave this running for another 24 hours, just in case someone here wants to try to triage it, but then I'll reinstall - any program pushing out multiple log lines per millisecond is not good for the CPU or the MicroSD card's flash wear.
All the best
... View more
05-04-2020
01:22 PM
I've just noticed another error that gets generated, but only once:
05-04-2020 21:18:23.101 +0100 ERROR JsonLineBreaker - JSON StreamId:17548257037373434191 had parsing error:Unexpected character while looking for value: 'h' - data_source="/var/log/eve.json", data_host="dd-wrt", data_sourcetype="json"
Is the letter 'h' really so unexpected in a lint-validated json file?!
... View more
05-04-2020
01:07 PM
Hi PavelP,
Thanks - I tried that too already. Nothing unexpected in there, right?
/opt/splunkforwarder/etc/apps/search/default/props.conf [splunkd]
/opt/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<event_message>.+)
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf TRUNCATE = 0
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf TRUNCATE = 0
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf TRUNCATE = 0
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
/opt/splunkforwarder/etc/system/local/props.conf TIME_PREFIX = "Time":
/opt/splunkforwarder/etc/system/local/props.conf TRUNCATE = 0
/opt/splunkforwarder/etc/system/local/props.conf INDEXED_EXTRACTIONS = json
/opt/splunkforwarder/etc/system/local/props.conf KV_MODE = none
/opt/splunkforwarder/etc/system/local/props.conf NO_BINARY_CHECK = true
/opt/splunkforwarder/etc/system/local/props.conf SEDCMD-strip_prefix = s/^[^{]+//g
... View more
05-04-2020
08:14 AM
Hello good people of the Splunk Community. This one's got me foxed.
I noticed this morning that the splunkd logs on my Raspberry Pi-hosted Universal Forwarder are rotating really quickly (check out the timestamps below - it is literally creating a log entry as fast as the CPU will spin) and I've got no idea why.
Oddly, the error appears to originate in Splunk's own log at:
/opt/splunkforwarder/var/log/splunk/splunkd.log
At first I thought the error must have been introduced from a parsed log, but then I realised two odd things - firstly, the splunkd errors I'm seeing reference the log itself as the source of the problem and secondly it appears to take issue with the number '5' (in it's own log)?
Removing the logs and restarting the forwarder doesn't help, rebooting the RPi doesn't help. As soon as the splunkd service starts, it immediately spams the splunkd.log with this. Anyone any ideas what I'm missing?
Here's what it looks like:
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.117 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.118 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.118 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
05-04-2020 15:48:24.118 +0100 ERROR JsonLineBreaker - JSON StreamId:14919777892573414995 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/splunkd.log", data_host="rpi3", data_sourcetype="json"
... and lots more ...
... and more ...
... more ..
... View more
10-07-2018
07:27 PM
Ah indeed, you can download from the webpage, but the latest 7.2.x version fails to wget correctly.
Not ideal, but workable if you grab it from the webpage and SCP it to your RPi.
Thanks.
... View more
10-07-2018
07:03 PM
That download actually fails (neither the wget or the direct link work anymore) so the OP is correct - there's no more options for Raspberry Pi forwarding which is a shame as it is the No. 1 selling computer in the world!
... View more
03-28-2015
01:30 PM
Starting it as root should solve the problem, logically. But it doesn't. There's something hardcoded in there that requires the installation user to start it under that context only.
... View more
03-28-2015
01:26 PM
It appears that install as a .deb does the same thing. The complication is that I have no users.ini file because this question is a free home installation .
... View more
03-22-2015
03:05 PM
The board won't let me post the remaining lines presumably because it's misinterpreting a string in the output as code. But its much of the same. I've not changed any permissions between upgrading so anything that looks odd is an output of the upgrade.
... View more
03-22-2015
03:00 PM
splunk@ubuntu:~/bin$ ls -l /opt/splunk/etc/system/local
total 32
-rw------- 1 splunk splunk 0 Mar 22 18:47 eventtypes.conf
-rw-r--r-- 1 splunk splunk 80 Mar 22 18:47 indexes.conf
-rw-r--r-- 1 splunk splunk 80 Mar 22 18:47 indexes.conf.old
-rw------- 1 splunk splunk 24 Mar 22 18:47 inputs.conf
-rw------- 1 splunk splunk 48 Sep 16 2014 limits.conf
-rw------- 1 splunk splunk 261 Mar 22 18:47 migration.conf
-r--r--r-- 1 splunk splunk 265 Jul 30 2014 README
-rw------- 1 splunk splunk 0 Nov 29 16:10 serverclass.conf
-rw------- 1 splunk splunk 527 Nov 29 18:49 server.conf
-rw------- 1 splunk splunk 34 Feb 13 15:36 web.conf
splunk@ubuntu:~/bin$ ls -l /opt/splunk/etc/system
total 44
drwxr-xr-x 2 splunk splunk 4096 Mar 22 18:46 bin
drwxr-xr-x 3 splunk splunk 4096 Mar 22 18:46 default
drwxr-xr-x 2 splunk splunk 4096 Mar 22 18:47 local
drwxr-xr-x 2 splunk splunk 4096 Mar 22 18:46 lookups
drwxr-xr-x 2 splunk splunk 4096 Mar 22 18:46 metadata
drwxr-xr-x 2 splunk splunk 20480 Mar 22 18:46 README
drwxr-xr-x 2 splunk splunk 4096 Mar 22 18:46 static
... View more
03-22-2015
02:53 PM
Hi. No SELinux here (shudders!)
ls -l /opt/splunk/etc/system/local/server.conf
-rw------- 1 splunk splunk 527 Nov 29 18:49 /opt/splunk/etc/system/local/server.conf
... View more
03-22-2015
01:30 PM
I've gone through the answers here and tried the following:
Unlocking stale PIDs
clean locks
chown -R <user>:<group> /opt/splunk
But nothing seems to work. The last message:
Please login as an administrator and correct issue.
When I'm root can only mean that something is hardcoded that really shouldn't be.
Here's the complete output (which is the same if I run it under the splunk user, or the user set in the /etc/init.d/splunk script which is irrelevant here I think) :
root@ubuntu:/opt/splunk/bin# ./splunk start
Splunk> All batbelt. No tights.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main snort_test summary test
Done
Cannot open file=/opt/splunk/etc/system/local/server.conf for parsing: Permission denied
Cannot create username mapping file: /opt/splunk/etc/users/users.ini: Permission denied
Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
Error opening username mapping file: /opt/splunk/etc/users/users.ini
Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
New certs have been generated in '/opt/splunk/etc/auth'.
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
ERROR - Error opening "/opt/splunk/var/log/splunk/splunkd-utility.log": Permission denied
Your active group is invalid. Please login as an administrator and correct issue.
ERROR IniFile - Cannot open file=/opt/splunk/etc/system/local/server.conf for parsing: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /opt/splunk/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /opt/splunk/etc/users/users.ini
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/launcher/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/search/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/splunk_app_for_nix/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
ERROR IniFile - Cannot open file=/opt/splunk/etc/system/local/server.conf for parsing: Permission denied
ERROR UsernameMapper - Cannot create username mapping file: /opt/splunk/etc/users/users.ini: Permission denied
ERROR IniFile - Cannot open file=/opt/splunk/etc/users/users.ini for parsing: Permission denied
ERROR UsernameMapper - Error opening username mapping file: /opt/splunk/etc/users/users.ini
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/launcher/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/search/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/splunk_app_for_nix/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/system/metadata/local.meta: Permission denied
ERROR ConfObjectManagerDB - Cannot initialize: /opt/splunk/etc/apps/learned/metadata/local.meta: Permission denied
The SPLUNK_DB environment variable was defined but the test file ("/opt/splunk/var/lib/splunk/test.kMgOmj") could not be created by the current user: Permission denied
Locking test failed on filesystem in path /opt/splunk/var/lib/splunk with code '7'. Please file a case online at http://www.splunk.com/page/submit_issue
Checking filesystem compatibility... root@ubuntu:/opt/splunk/bin#
Any ideas anyone? Thanks and regards
... View more
