All Apps and Add-ons

Fail to install Wazuh App for Splunk

phw98064
New Member

I want to install Wazuh App for Splunk and I follow the step of Wazuh's official documentation to enter the command:

/opt/splunk/bin/splunk install SplunkAppForWazuh.tar.gz

But the error occurs:

Error during app install: failed to extract app from /opt/splunk/var/run/splunk/bundle_tmp/SplunkAppForWazuh.tar.gz to /opt/splunk/var/run/splunk/bundle_tmp/acabccc88214c13f: No such file or directory

The previous steps are all correct and I can login the visualization website as 127.0.0.1:8000 and it seems everything all right. I don't know what's the problem. Any suggestions will be appreciated.

0 Karma
1 Solution

nickhills
Ultra Champion

Ha!
I feel a bit silly for not trying this sooner.

nhmbpr15:tmp nick.hills$ tar -xvf SplunkAppForWazuh.tar.gz
tar: Error opening archive: Unrecognized archive format

The archive file is bad, and cant be uncompressed.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Ha!
I feel a bit silly for not trying this sooner.

nhmbpr15:tmp nick.hills$ tar -xvf SplunkAppForWazuh.tar.gz
tar: Error opening archive: Unrecognized archive format

The archive file is bad, and cant be uncompressed.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

The version from Splunkbase is ok, but it is older.
https://splunkbase.splunk.com/app/3688/

You could try the latest version from github, which is new and extracts correctly:
https://github.com/wazuh/wazuh-splunk/releases/tag/v3.11.2-8.0.1

You might want to contact the developer and let them know that the published package is broken.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

I have added this comment as an answer as it is the eventual outcome from your problem.

Please accept it so other people can see what we discovered.
Come back an open another question if you have any problems.

Good luck!

If my comment helps, please give it a thumbs up!
0 Karma

phw98064
New Member

Okok. I will try the new version and tell the developer the broken package later.

Thank you very much!

0 Karma

13tsavage
Communicator

I have some questions that will hopefully help me answer your question.

Do you have the SplunkAppForWazuh.tar.gz downloaded and on your splunk instance?
IF NO, as the error message says, the file does not exist, so first step is get the SplunkAppForWazuh.tar.gz.

For example, this curl will get you a Wazuh app for Splunk v7.1.1
curl -o SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/v3.3.1_7.1.1.tar.gz

IF YES, then make sure your splunk user or the user you want to add the app to has permissions to view the file to unpack.

0 Karma

nickhills
Ultra Champion

You need to provide the full path for the package file, and "app"

/opt/splunk/bin/splunk install app /your/path/SplunkAppForWazuh.tar.gz

I just looked at the Wazuh documentaion here:
https://documentation.wazuh.com/3.11/installation-guide/installing-splunk/splunk-app.html
And its a bit incomplete, Ideally, it would say:

curl -o /tmp/SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.11.2_8.0.0.tar.gz

/opt/splunk/bin/splunk install app /tmp/SplunkAppForWazuh.tar.gz
If my comment helps, please give it a thumbs up!

phw98064
New Member

Thanks for your answer. And the documentation shows

/opt/splunk/bin/splunk install /your/path/SplunkAppForWazuh.tar.gz

Here is the full path. The documentation link is

https://documentation.wazuh.com/3.11/installation-guide/installing-splunk/splunk-app.html

0 Karma

13tsavage
Communicator

Need to add app after install and before the path to your tar.gz file.

So it would be /opt/splunk/bin/splunk install app /your/path/SplunkAppForWazuh.tar.gz as @nickhillscpl mentioned

0 Karma

phw98064
New Member

Thanks for your adive and I tried the commands like:

/opt/splunk/bin/splunk install app /opt/splunk/bin/SplunkAppForWazuh.tar.gz

But the result is the same:

Error during app install: failed to extract app from /opt/splunk/bin/SplunkAppForWazuh.tar.gz to /opt/splunk/var/run/splunk/bundle_tmp/442aa3661f9da411: No such file or directory

I suppose if is the permission issue and how can I confirm it?

0 Karma

nickhills
Ultra Champion

Are you sure you downloaded the package to /opt/splunk/bin ?
(I would advise against this!)

Please use my suggestion:

   curl -o /tmp/SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.11.2_8.0.0.tar.gz

     /opt/splunk/bin/splunk install app /tmp/SplunkAppForWazuh.tar.gz

Which will download the file to your temp folder, and then use the same path for the install command.

If my comment helps, please give it a thumbs up!
0 Karma

phw98064
New Member

Thanks for your comment.
However, using your suggestion the result is same:

[root@localhost etc]# curl -o /tmp/SplunkAppForWazuh.tar.gz https://packages.wazuh.com/3.x/splunkapp/wazuhapp-splunk-3.11.2_8.0.0.tar.gz

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   243    0   243    0     0    222      0 --:--:--  0:00:01 --:--:--   222

[root@localhost etc]# /opt/splunk/bin/splunk install app /tmp/SplunkAppForWazuh.tar.gz

Error during app install: failed to extract app from /tmp/SplunkAppForWazuh.tar.gz to /opt/splunk/var/run/splunk/bundle_tmp/54753e62ef7cccf6: No such file or directory

Is the pemission issue or the download issue?

0 Karma

nickhills
Ultra Champion

I'm starting to think it could be - what are the permissions on /opt/splunk/var/run/splunk/bundle_tmp and who is the splunkd process running as?

Use ps -ef | grep splunkd to see.

If my comment helps, please give it a thumbs up!
0 Karma

phw98064
New Member
[root@localhost etc]# ps -ef | grep splunkd
root       8629   2958  1 04:19 ?        00:02:03 splunkd -p 8089 restart
root       8633   8629  0 04:19 ?        00:00:05 [splunkd pid=8629] splunkd -p 8089 restart [process-runner]
root       8857   8633  0 04:19 ?        00:00:21 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore
root      16815   6045  0 07:22 pts/0    00:00:00 grep --color=auto splunkd
0 Karma

nickhills
Ultra Champion

are you running /opt/splunk/bin/splunk install app /tmp/SplunkAppForWazuh.tar.gz as root?

If my comment helps, please give it a thumbs up!
0 Karma

phw98064
New Member

Yes, I use both su root and sudo , but all get wrong

0 Karma

nickhills
Ultra Champion

you're still missing splunk install app <package>
you need to specify "app" in the command

If my comment helps, please give it a thumbs up!
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!