Hi, I am new to Splunk and running both Splunk Enterprise and Universal Forwarder in a Docker container (on the same host for now). My forwarder keeps shutting down, and I am not quite sure why. Probably a configuration issue. This is the last error I find in the logs before the shutdown: TASK [splunk_common : Test basic https endpoint] *******************************
fatal: [localhost]: FAILED! => {
"attempts": 60,
"changed": false,
"elapsed": 10,
"failed_when_result": true,
"redirected": false,
"status": -1,
"url": "https://127.0.0.1:8089"
}
MSG:
Status code was -1 and not [200, 404]: Request failed: <urlopen error _ssl.c:1074: The handshake operation timed out>
...ignoring after that there is a bit more in the logs, before it finally stops working: Monday 20 December 2021 09:57:02 +0000 (0:17:30.719) 0:18:04.687 *******
TASK [splunk_common : Set url prefix for future REST calls] ********************
ok: [localhost]
Monday 20 December 2021 09:57:02 +0000 (0:00:00.088) 0:18:04.775 *******
included: /opt/ansible/roles/splunk_common/tasks/clean_user_seed.yml for localhost
Monday 20 December 2021 09:57:02 +0000 (0:00:00.214) 0:18:04.989 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user
TASK [splunk_common : Remove user-seed.conf] ***********************************
ok: [localhost]
Monday 20 December 2021 09:57:03 +0000 (0:00:00.653) 0:18:05.643 *******
included: /opt/ansible/roles/splunk_common/tasks/add_splunk_license.yml for localhost
Monday 20 December 2021 09:57:03 +0000 (0:00:00.228) 0:18:05.871 *******
TASK [splunk_common : Initialize licenses array] *******************************
ok: [localhost]
Monday 20 December 2021 09:57:03 +0000 (0:00:00.082) 0:18:05.954 *******
TASK [splunk_common : Determine available licenses] ****************************
ok: [localhost] => (item=splunk.lic)
Monday 20 December 2021 09:57:03 +0000 (0:00:00.117) 0:18:06.072 *******
included: /opt/ansible/roles/splunk_common/tasks/apply_licenses.yml for localhost => (item=splunk.lic)
Monday 20 December 2021 09:57:03 +0000 (0:00:00.162) 0:18:06.235 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.074) 0:18:06.309 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.078) 0:18:06.387 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.077) 0:18:06.465 *******
included: /opt/ansible/roles/splunk_common/tasks/licenses/add_license.yml for localhost
Monday 20 December 2021 09:57:04 +0000 (0:00:00.141) 0:18:06.606 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.079) 0:18:06.686 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user
TASK [splunk_common : Ensure license path] *************************************
ok: [localhost]
Monday 20 December 2021 09:57:04 +0000 (0:00:00.622) 0:18:07.308 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.074) 0:18:07.382 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.108) 0:18:07.491 *******
Monday 20 December 2021 09:57:05 +0000 (0:00:00.076) 0:18:07.568 *******
included: /opt/ansible/roles/splunk_universal_forwarder/tasks/../../../roles/splunk_common/tasks/set_as_hec_receiver.yml for localhost
Monday 20 December 2021 09:57:05 +0000 (0:00:00.118) 0:18:07.686 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user outputs.conf: [indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk:9997
disabled = false inputs.conf: [monitor:///docker/py-sandbox/log/*.json]
disabled = 0
[monitor:///docker/fa/log/*.json]
disabled = 0 server.conf (i removed the keys/ssl pw, I never created those myself though): [general]
serverName = synoUniFW
pass4SymmKey = <somekey>
[sslConfig]
sslPassword = <some pw>
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free In the Splunk Enterprise I have opened port 9997 and it actually receives logs, until it doesn't... What am I doing wrong? thanks!
... View more