All Apps and Add-ons

Splunk Add-on for Unix and Linux: Why are none of the predefined inputs working to index log data from our Debian hosts?

tlawler
Explorer

Background Information:

  • Currently on a 60 day trial of Splunk
  • Enterprise Splunk Enterprise is running on Debian Wheezy
  • Splunk Enterprise Version 6.2.2
  • Splunk Universal Forwarder on (5) Debian Wheezy Host
  • Splunk Universal Forwarder on (1) Windows 8.1 Host
  • Splunk Universal Forwarder Version 6.2.2
  • Deploy Poll: 8089
  • Forward Server: 9997

We are having trouble with the "Splunk Add-on for Unix and Linux" (https://splunkbase.splunk.com/app/833/ ), as we are unable to get log data from our Debian Hosts to the indexer without manually adding the log location from the "Add Data" Process. None of the predefined inputs work, and we are unable to index the "File and Directory Inputs" or the "Scripted Inputs" as listed in the "Splunk Add-on for Unix and Linux" Setup page. We have tried installing the forwarder on various hosts within the infrastructure, uninstalling the forwarders & reinstalling forwarders on the Debian hosts, uninstalling & reinstalling the "Splunk Add-on for Unix and Linux", & nothing we have attempted has fixed the problem we seem to have.

In contrast, the "Splunk Add-on for Microsoft Windows" works perfectly with the Windows 8.1 host, and we were able to get the log data indexed & is currently searchable. All of the predefined inputs work as advertised and we don't have any issues.

We are lost & looking for answers. Any help is appreciated, & I can provide more details if needed.

Thomas

0 Karma
1 Solution

tlawler
Explorer

Turns out this was a permission issue. When Splunk was initially installed on the Debian VM, the installation package created a user "506" that didn't have rights to perform the necessary actions to input data with the Add-on for Unix and Linux. Very Strange.

Anyway I had to reconfigure the whole installation by removing the Splunk VM, and stopping forwarders etc. and everything is working properly.

Thank you for the help!

View solution in original post

0 Karma

tlawler
Explorer

Turns out this was a permission issue. When Splunk was initially installed on the Debian VM, the installation package created a user "506" that didn't have rights to perform the necessary actions to input data with the Add-on for Unix and Linux. Very Strange.

Anyway I had to reconfigure the whole installation by removing the Splunk VM, and stopping forwarders etc. and everything is working properly.

Thank you for the help!

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

tlawler
Explorer

jcoates,

Thank you for the response.

I will check and make sure sysstat is installed on the hosts in the morning, and I will report back with the results.

We are not seeing any errors like in the link provided above.

Thomas

0 Karma

tlawler
Explorer

Update:

All of the Debian VMs had sysstat installed.

Any other ideas?

0 Karma

tlawler
Explorer

Bump. Anyone?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Just to make sure...did you enable the data and scripted inputs (http://docs.splunk.com/Documentation/UnixAddOn/5.1.2/User/Enabledataandscriptedinputs)? I can't quite tell from the way you worded your question.

0 Karma

tlawler
Explorer

Chris,

Thank you for the response. Everything is enabled in the Setup page.

alt text

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...