×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
tfallon
New Member
Member since: ‎11-08-2019
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-08-2019
Activity Feed
View All

Re: CentOS 6 iptables blocking universal forwarder...

by in Getting Data In
‎11-19-2019 03:15 PM
‎11-19-2019 03:15 PM
Hi FrankVI I tried the tcpdump approach and could not see any traffic at all to the deployment server either with iptables enabled or disabled. I tried pinpointing just port 8089 and there were no packets captured at all. So I think there is something else at play here possibly. All the deploy-poll commands failed not just the set command. I'd expect the set to fail if there was communication being blocked by the iptables rule but the show command also failed (and still does) if iptables is enabled. As a workaround I manually created this file /opt/splunkforwarder/etc/system/local/deploymentclient.conf With the following contents [target-broker:deploymentServer] targetUri = splunkdeployment.mydomain.com:8089 And the deployment client is now showing up on the deployment server as managed. I'm going to try the above workaround on the remaining problem machines and see how far that gets me - not ideal but if it works it works (and may help someone else finding this potentially). cheers Tom ... View more

Re: CentOS 6 iptables blocking universal forwarder...

by in Getting Data In
‎11-08-2019 09:15 AM
‎11-08-2019 09:15 AM
Thanks FrankVI - given that if I disable iptables on the problem machine(s) then the set deploy-poll command works straight away it seems clear that iptables is at fault on the servers running UF not the deployment server. I don't have access to the console on the deployment server to check netstat etc but can get one of my colleagues to do so monday. I had added logging too using this command sudo iptables -I INPUT 1 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 But when checking the logs post another run of set deploy-poll command there is nothing ref dropped packets... nothing in logs at all come to that. cheers Tom ... View more

CentOS 6 iptables blocking universal forwarder com...

by in Getting Data In
‎11-08-2019 06:06 AM
‎11-08-2019 06:06 AM
On a number of CentOS 6 machines which have long iptables rules with multiple chains (details can be provided if required) the UF can be installed ok however when running this command: /opt/splunkforwarder/bin/splunk set deploy-poll <splunkdeploymentserver.fqdn:8089> The command times out and eventually throws this warning/error Couldn't complete HTTP request: Connection timed out On other CentOS 6 boxes still with iptables enabled but without the number of chains, the command works as expected. I've parsed the malfunctioning iptables rules and cannot see any conflict or reason for this to fail. Additionally adding specific rules for all ports both tcp and udp to the top of both the INPUT and OUTPUT chains makes no difference. And even more bizarrely I can telnet to the splunk deployment server over port 8089 successfully..... Runnin nmap from one of the affected clients shows ports open on the deployment server as follows Starting Nmap 5.51 ( http://nmap.org ) at 2019-11-08 13:41 GMT Nmap scan report for splunkdeployment.fqdn (ip-address) Host is up (0.0017s latency). Not shown: 65533 closed ports PORT STATE SERVICE 443/tcp open https 8089/tcp open unknown 9997/tcp open unknown As soon as I disable iptables however i can run the set deploy-poll command successfully. Has anyone encountered this sort of behaviour before? cheers Tom ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM