Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pmcl77
pmcl77
Loves-to-Learn Lots
Member since:
12-20-2021
12-25-2021
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-20-2021 |
Activity Feed
- Posted Re: Universal Forwarder service stops - Test basic https endpoint failed on Getting Data In. 12-21-2021 02:49 PM
- Posted Re: Splunk Docker - Which is the right folder for props.conf (and other config files) on Getting Data In. 12-21-2021 11:09 AM
- Posted Splunk Docker - Which is the right folder for props.conf (and other config files) on Getting Data In. 12-21-2021 08:54 AM
- Posted Re: Universal Forwarder service stops - Test basic https endpoint failed on Getting Data In. 12-21-2021 01:43 AM
- Posted Re: Universal Forwarder service stops - Test basic https endpoint failed on Getting Data In. 12-20-2021 12:08 PM
- Posted Re: Universal Forwarder service stops - Test basic https endpoint failed on Getting Data In. 12-20-2021 12:03 PM
- Posted Docker - Universal Forwarder service stops - Test basic https endpoint failed on Getting Data In. 12-20-2021 02:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
12-21-2021
02:49 PM
Hi @aasabatini I suppose you mean from the universalforwarder, not splunk enterprise? Since it seems not possible to upload files here and the logs being pretty long I have made them available here Also, here is the ouptut: [ansible@synoUniFw splunkforwarder]$ ls -lrt /opt/
total 16
drwxr-xr-x 13 splunk splunk 4096 Dec 17 22:42 splunkforwarder-etc
drwxrwxr-x 16 root ansible 4096 Dec 18 00:58 ansible
drwxrwxr-x 2 ansible ansible 4096 Dec 21 22:03 container_artifact
drwxr-xr-x 17 splunk splunk 4096 Dec 21 22:26 splunkforwarder
[ansible@synoUniFw splunkforwarder]$ sudo /opt/splunkforwarder/bin/splunk status
splunkd is running (PID: 1156).
splunk helpers are running (PIDs: 1159). From the verbose ansible output I can find the following fatal errors. They might both have to do with ssl? However, I have not enabled ssl, so I would assume it should work anyway. unifw | TASK [splunk_common : Test basic https endpoint] *******************************
unifw | task path: /opt/ansible/roles/splunk_common/tasks/set_certificate_prefix.yml:2
unifw | fatal: [localhost]: FAILED! => {
unifw | "attempts": 60,
unifw | "changed": false,
unifw | "elapsed": 10,
unifw | "failed_when_result": true,
unifw | "redirected": false,
unifw | "status": -1,
unifw | "url": "https://127.0.0.1:8089"
unifw | }
unifw |
unifw | MSG:
unifw |
unifw | Status code was -1 and not [200, 404]: Request failed: <urlopen error _ssl.c:1074: The handshake operation timed out>
unifw | ...ignoring
...
unifw | TASK [splunk_universal_forwarder : Setup global HEC] ***************************
unifw | task path: /opt/ansible/roles/splunk_common/tasks/set_as_hec_receiver.yml:4
unifw | fatal: [localhost]: FAILED! => {
unifw | "changed": false,
unifw | "elapsed": 60,
unifw | "redirected": false,
unifw | "status": -1,
unifw | "url": "http://127.0.0.1:8089/services/data/inputs/http/http"
unifw | }
unifw |
unifw | MSG:
unifw |
unifw | Status code was -1 and not [200]: Connection failure: timed out Once it's done with the "playbook" the service/container shuts down (exited with code 2).
... View more
12-21-2021
11:09 AM
Thank you @Stefanie Great input, I have read about the concepts of creating an app for configuration in another post but I am not yet at that stage 🙂 I am still experimenting how to correctly getting the data in and then how to make reports for that. But I will keep that in mind and will try to figure that out once I am more familiar with the basics. Best,
... View more
12-21-2021
08:54 AM
Hi, I have found several locations with a props.conf in my Docker splunk:8.2 image: ./opt/splunk/etc/apps/legacy/default/props.conf
./opt/splunk/etc/apps/search/local/props.conf
./opt/splunk/etc/apps/search/default/props.conf
./opt/splunk/etc/apps/splunk_internal_metrics/default/props.conf
./opt/splunk/etc/apps/splunk_monitoring_console/default/props.conf
./opt/splunk/etc/apps/sample_app/default/props.conf
./opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
./opt/splunk/etc/apps/splunk_archiver/default/props.conf
./opt/splunk/etc/apps/splunk_secure_gateway/default/props.conf
./opt/splunk/etc/apps/splunk_rapid_diag/default/props.conf
./opt/splunk/etc/apps/splunk_instrumentation/default/props.conf
./opt/splunk/etc/apps/learned/local/props.conf
./opt/splunk/etc/system/default/props.conf I noticed, when I add a sourcetype in splunk Enterprise web interface (Settings -> sourcetypes) they will be saved in two locations: apps/search/local/props.conf apps/search/metadata/local.meta I was just wondering, if any of these two would be right location to copy a manually configured props.conf file, or if I should rather add it to /opt/splunk/etc/system/default/props.conf instead? Thanks
... View more
Labels
- Labels:
-
props.conf
12-21-2021
01:43 AM
Hey @aasabatini Yes, I read that in the docs already... I don't think it's a port issue, all necessary ports seem open. >docker ps 99c07b0261e4 splunk/universalforwarder:8.2 "/sbin/entrypoint.sh…" 10 hours ago Up About a minute (healthy) 8088-8089/tcp, 9997/tcp unifw 94a7d4bb28b7 splunk/splunk:8.2 "/sbin/entrypoint.sh…" 13 hours ago Up About a minute (healthy) 8065/tcp, 0.0.0.0:8000->8000/tcp, 8088/tcp, 8191/tcp, 0.0.0.0:8089->8089/tcp, 0.0.0.0:9997->9997/tcp, 9887/tcp splunk
... View more
12-20-2021
12:08 PM
Thanks, I found the logs in /opt/splunkforwarder/var/log/splunk After enabling more verbose logging, I got this from the ansible/docker logs: TASK [splunk_universal_forwarder : Setup global HEC] ***************************
task path: /opt/ansible/roles/splunk_common/tasks/set_as_hec_receiver.yml:4
fatal: [localhost]: FAILED! => {
"changed": false,
"elapsed": 60,
"redirected": false,
"status": -1,
"url": "http://127.0.0.1:8089/services/data/inputs/http/http"
}
MSG:
Status code was -1 and not [200]: Connection failure: timed out So, fatal, maybe this is the reason... might in the end be a problem on the splunk enterprise container. Though it's strange because I do receive logs and why should it shut down after a connection timeout? Will browse more logs...
... View more
12-20-2021
12:03 PM
Hi @aasabatini Thanks, it seems Port 8089 is by default already open on the splunk Enterprise docker image. I also tried to setup a HEC receiver on that port but it would not let me because the port was already busy. I suppose those images are setup by default like this. I am enabling more verbose debugging to see if I can find something, or see if it can find me :;) Best
... View more
12-20-2021
02:10 AM
Hi, I am new to Splunk and running both Splunk Enterprise and Universal Forwarder in a Docker container (on the same host for now). My forwarder keeps shutting down, and I am not quite sure why. Probably a configuration issue. This is the last error I find in the logs before the shutdown: TASK [splunk_common : Test basic https endpoint] *******************************
fatal: [localhost]: FAILED! => {
"attempts": 60,
"changed": false,
"elapsed": 10,
"failed_when_result": true,
"redirected": false,
"status": -1,
"url": "https://127.0.0.1:8089"
}
MSG:
Status code was -1 and not [200, 404]: Request failed: <urlopen error _ssl.c:1074: The handshake operation timed out>
...ignoring after that there is a bit more in the logs, before it finally stops working: Monday 20 December 2021 09:57:02 +0000 (0:17:30.719) 0:18:04.687 *******
TASK [splunk_common : Set url prefix for future REST calls] ********************
ok: [localhost]
Monday 20 December 2021 09:57:02 +0000 (0:00:00.088) 0:18:04.775 *******
included: /opt/ansible/roles/splunk_common/tasks/clean_user_seed.yml for localhost
Monday 20 December 2021 09:57:02 +0000 (0:00:00.214) 0:18:04.989 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user
TASK [splunk_common : Remove user-seed.conf] ***********************************
ok: [localhost]
Monday 20 December 2021 09:57:03 +0000 (0:00:00.653) 0:18:05.643 *******
included: /opt/ansible/roles/splunk_common/tasks/add_splunk_license.yml for localhost
Monday 20 December 2021 09:57:03 +0000 (0:00:00.228) 0:18:05.871 *******
TASK [splunk_common : Initialize licenses array] *******************************
ok: [localhost]
Monday 20 December 2021 09:57:03 +0000 (0:00:00.082) 0:18:05.954 *******
TASK [splunk_common : Determine available licenses] ****************************
ok: [localhost] => (item=splunk.lic)
Monday 20 December 2021 09:57:03 +0000 (0:00:00.117) 0:18:06.072 *******
included: /opt/ansible/roles/splunk_common/tasks/apply_licenses.yml for localhost => (item=splunk.lic)
Monday 20 December 2021 09:57:03 +0000 (0:00:00.162) 0:18:06.235 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.074) 0:18:06.309 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.078) 0:18:06.387 *******
Monday 20 December 2021 09:57:03 +0000 (0:00:00.077) 0:18:06.465 *******
included: /opt/ansible/roles/splunk_common/tasks/licenses/add_license.yml for localhost
Monday 20 December 2021 09:57:04 +0000 (0:00:00.141) 0:18:06.606 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.079) 0:18:06.686 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user
TASK [splunk_common : Ensure license path] *************************************
ok: [localhost]
Monday 20 December 2021 09:57:04 +0000 (0:00:00.622) 0:18:07.308 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.074) 0:18:07.382 *******
Monday 20 December 2021 09:57:04 +0000 (0:00:00.108) 0:18:07.491 *******
Monday 20 December 2021 09:57:05 +0000 (0:00:00.076) 0:18:07.568 *******
included: /opt/ansible/roles/splunk_universal_forwarder/tasks/../../../roles/splunk_common/tasks/set_as_hec_receiver.yml for localhost
Monday 20 December 2021 09:57:05 +0000 (0:00:00.118) 0:18:07.686 *******
[WARNING]: Using world-readable permissions for temporary files Ansible needs
to create when becoming an unprivileged user. This may be insecure. For
information on securing this, see
https://docs.ansible.com/ansible/user_guide/become.html#risks-of-becoming-an-
unprivileged-user outputs.conf: [indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk:9997
disabled = false inputs.conf: [monitor:///docker/py-sandbox/log/*.json]
disabled = 0
[monitor:///docker/fa/log/*.json]
disabled = 0 server.conf (i removed the keys/ssl pw, I never created those myself though): [general]
serverName = synoUniFW
pass4SymmKey = <somekey>
[sslConfig]
sslPassword = <some pw>
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free In the Splunk Enterprise I have opened port 9997 and it actually receives logs, until it doesn't... What am I doing wrong? thanks!
... View more
Labels
- Labels:
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-25-2021
08:42 PM
|
