I have read other articles but haven't found an answer.
I recently pushed the universal forwarder to Windows clients to upgrade from 6.5.1 to 7.2.6 and did not set the user password. The forwarder is functioning, but on start throws the error for "No user configured". I created a user-seed.conf using the instructions with a hashed password and pushed it from the Windows SCCM with a restart after placing the file into system local as described in the user-seed.conf.spec page.
However, the forwarder does not seem to be reading it on restart since I am still seeing the same error. Has anyone else found a reason for this?
We have checked file permissions and don't see a problem. The forwarder is running as a local system service and is seen as a local administrator for the user. The local admin has permissions to the user-seed.conf file.
... View more
I have inherited a Splunk Enterprise and FIPS is on for about half of the environment. My experience has always been negative with FIPS compliance so I am interested in disabling it. Preliminary checks show it is on for my search heads and LM, but not for the Indexer Cluster, CM or DS. I am also reasonably certain it is not on for most if not all of my forwarders. I had to disable it on a heavy forwarder to get some applications working which is a known and documented issue. The application of note was e-streamer which is most likely due to the firepower also not being FIPS enabled. I know Splunk documentation says you can only enable Splunk in FIPS mode from install, but there is nothing about disabling FIPS mode. Any insight, experience or advice would be appreciated.
... View more