Still struggling to get our 9.1.3 forwarders working on RHEL7 and RHEL8 on DISA STIGed machines after the upgrade. Nothing I can find online, even here, to help yet. tcp_conn-open-afux ossocket_connect failed with no such file or directory' messages and SplunkForwarder.service just vanishes. Really? Tried yum erase and rm -R /opt/splunkforwarder and new install and still no-go. Worked before as splunk user. <aargh!> Worked before the upgrade. Going back to older version for now since the Cyber Team is really miffed. Update 1: Well - added splunkfwd account to the root group and made progress, but not 100%. Will try root:root as experiment - it does appear to be permission issues on STIG locked down machine even though splunkfwd:splunkfwd owns all /opt/splunkforwarder/ files and directories. Update2: Running as root has not fixed the issue. 'netstat -an|grep 9997 on forwarder and indexer machines shows connections, 'Forwarder: Deployment' screen shows the non-working forwarders but 'Forwarder Management' screen does not show the forwarders. The 9.1.2 and 8.2.2.1 (yeah, old - but there are reasons) still work fine forwarding to the 9.1.3 indexer. Hoping 9.2.0.1 fixes this or I must roll back.
... View more
