cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
cps42
Explorer
Member since: ‎07-27-2010
‎06-05-2020
Community Statistics
Posts 8
Solutions 1
Karma Given 1
Karma Received 8
Member Since ‎07-27-2010
Activity Feed
View All

Re: After 6.4 upgrade every server erroring with: ...

by in Installation
‎06-30-2016 10:19 AM
1 Karma
‎06-30-2016 10:19 AM
1 Karma
I got this answer from my SE - support didn't get back to me. I searched our cases and based on responses that support has given to another customer, this is a known issue (SPL-122185) and is targeted to be fixed in 6.4.2. . Here is their suggested workaround for another customer - For the time being please attempt following workaround: 1 - create a log-local.cfg (cloned from log.cfg) inside $SPLUNK_HOME/etc, see also here: http://docs.splunk.com/Documentation/Splunk/6.4.0/Troubleshooting/Enabledebuglogging#log-local.cfg 2 - edit log-local.cfg and add following line inside the [splunkd] stanza (at the bottom will be ok): category.AuditTrailManager=CRIT 3 - restart splunk. 4 - check splunkd.log again and check if you still the error messages you noticed earlier. This won't affect any main splunk functionalities. It just will affect the events in the _audit index to not have the sequence ID, while all other info will be there. Please let me know how it goes, many thanks. Sorry for the inconvenience. ... View more

Re: After 6.4 upgrade every server erroring with: ...

by in Installation
‎06-28-2016 05:31 PM
‎06-28-2016 05:31 PM
Added case 369724 as well. Cam, Did you get any further updates on this issue? This log message doesn't seem to indicate that the indexer is having problems receiving data, as there is new data coming in for hosts, and I am able to execute queries, but the error seems to repeat regularly for each client system that makes a tcp connection to the indexer. ... View more

Re: Anyone interested in Splunk for Sampled NetFlo...

by in Getting Data In
‎06-26-2013 11:18 AM
‎06-26-2013 11:18 AM
We use Inmon for Sflow analytics today. I'd like to move to a single application as much as possible, but Inmon provides a lot of visibility for SFlow, SFlow-HTTP and IPFix. In the future, I'd also like to be able to use IF-MAP to communicate with IPAM (Infoblox) and other asset/traffic management appliances, to give the SFlow/IPFix tools more granular knowledge about the network traffic and the user creating that traffic. ... View more

Re: F5/Splunk App - LTM dashboard

by in Dashboards & Visualizations
‎09-28-2011 11:38 AM
‎09-28-2011 11:38 AM
I came upon this thread a bit late, but with the advent of v10 / v11 software, and multimodule Big-IP systems (WAM + ASM + LTM on one system, for example), I've found a different tack on the transforms.conf. You can see some of it in the $SPLUNK_HOME/etc/apps/SplunkforF5/default/ config files. Each of the modules that runs through AlertD will prepend the log message with a number in this format: REGEX = (\d{4}[0-9A-Fa-f]{4}:\d+:). For example, the apm_log regex is transforms.conf:REGEX = :\s(?:0149[0-9A-Fa-f]{4}:\d+:|0125[0-9A-Fa-f]{4}:\d+:\s[0-9A-Fa-f]{8}:) Make sure your props.conf file calls those dynamic transforms out, and then you don't have to manually define every LTM on your network in transforms.conf. TRANSFORMS-f5 = firepass_sourcetyper, asm_sourcetyper, apm_sourcetyper, irule_sourcetyper, PSM_sourcetyper_smtp, PSM_sourcetyper_http, PSM_sourcetyper_ftp, bigip_sourcetyper ... View more

Re: splunk for F5 app: getting data to splunk

by in Getting Data In
‎07-27-2010 10:01 PM
1 Karma
‎07-27-2010 10:01 PM
1 Karma
Justin - Take a look at the F5 Admin Guide for ASM [1] for Configuring logging profiles for web application data. You'll see that you are able to specify the destination and port for your ASM logs here. This is different than the Syslog configuration of the local TMOS appliance. [1] http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_sys_mgmt.html#1028448 ... View more

Re: How do I get syslog from an F5 BIG-IP?

by in Getting Data In
‎07-27-2010 09:53 PM
2 Karma
‎07-27-2010 09:53 PM
2 Karma
HSL logging via irules is excellent for application traffic, but not for administration traffic, audit logs, and irule event logging. Also, HSL is only available in Big-IP v 10.0 and newer. For syslogging administrative activity, you want this (also 10.0 syntax, but it is there in v. 9 as well, via 'bigpipe syslog' commands). # tmsh list /sys syslog sys syslog { remote-servers { syslog { host 10.10.10.2 } } } Note that if you use a syslog server via your OOB management network interface, you will be able to log messages during software upgrades, or during failsafe events, where the application network is not available. However, your System logs will then come from the management interface address, and your HSL logs will come from a different address. Also note that in any event, both members of an HA pair will syslog as their own device IP addresses, and will not use the floating address to send logs. HSL logging has a method for specifying the address that the message should come from, so HA pair logs as the same address. Cheers~ Casey F5 IT Network Engineer ... View more

Re: using setcap to allow non-root splunk user to ...

by in Deployment Architecture
‎07-27-2010 09:05 PM
‎07-27-2010 09:05 PM
Yes, I did check that. Execution works flawlessly if I remove the capabilities permissions. I did discover the capable_probe kernel module here[1], and I was able to discover that splunkd requests the permissions first. I modified splunkd permisions, and ran into the same issue, that splunkd no longer looked in /opt/splunk/lib for dynamic libraries. However, splunkweb will not start, even when splunkd can find them. I opened a similar question with Ubuntu, 119518 [2] also. [1] http://www.friedhoff.org/downloads.html [2] https://answers.launchpad.net/ubuntu/+source/libcap2/+question/119158 ... View more

using setcap to allow non-root splunk user to star...

by in Deployment Architecture
‎07-27-2010 01:08 AM
4 Karma
‎07-27-2010 01:08 AM
4 Karma
Per the instructions found here in the splunkbase and here, I tried to use the 'setcap' command. I can't quite get it to work. Modifying /opt/splunk/bin/splunk does not allow splunk to bind to the admin ports. Trying to setcap /opt/splunk/bin/python2.6 causes python to loose access to the local python modules. Is there a documented way to use Linux Capabilities to allow a non-root Splunk system to listen on 443 and 514? first test of setcap, noting changed but permissions of bin/splunk cps@sea-splunk01:/opt/splunk/bin$ setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk unable to set CAP_SETFCAP effective capability: Operation not permitted cps@sea-splunk01:/opt/splunk/bin$ sudo !! sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart Restarting Splunk... Stopping splunkweb... Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. . Stopping splunk helpers... Done. Splunk> 4TW Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking configuration... Done. Checking index directory... Done. Checking databases... Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary All preliminary checks passed. Starting splunk server daemon (splunkd)... Done. Starting splunkweb... Done. If you get stuck, we're here to help. Look for answers here: http://www.splunk.com/base/Documentation The Splunk web interface is at http://sea-splunk01:8000 ok, this all works, so I'm going to try modifiying to use port 443 and restart cps@sea-splunk01:/opt/splunk/etc$ sudo /etc/init.d/splunk restart Restarting Splunk... Stopping splunkweb... Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. . Stopping splunk helpers... Done. Splunk> 4TW Checking prerequisites... Checking http port [443]: open Checking mgmt port [8089]: open Checking configuration... Done. Checking index directory... Done. Checking databases... Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary All preliminary checks passed. Starting splunk server daemon (splunkd)... Done. Starting splunkweb... Error starting splunkweb. Hmmm, it saw that 443 was open, but couldn't bind it. Rats. Change back to 8443 for now, and restart. Let's try modifying bin/python2.6, and see what happens cps@sea-splunk01:/opt/splunk/bin$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/python2.6 cps@sea-splunk01:/opt/splunk/bin$ cps@sea-splunk01:/opt/splunk/bin$ cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart Restarting Splunk... Stopping splunkweb... Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. . Stopping splunk helpers... Done. Splunk> 4TW Checking prerequisites... Checking http port [8443]: open Checking mgmt port [8089]: open Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli.py", line 17, in <module> import splunk.clilib.cli_common as comm File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli_common.py", line 6, in <module> import lxml.etree as etree ImportError: libxslt.so.1: cannot open shared object file: No such file or directory ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All
Top