All Apps and Add-ons

Splunk Add-on for Unix and Linux - interfaces.sh ERROR

mysicksi
Path Finder

Hi all,

I was working with Splunk's support on an issue with my previous post. They suggested the first step should be to correct the error seen in splunkd.log with interfaces.sh seeing a virbr0 interface on my CentOS machines. I temporarily disabled interfaces.sh as a stop-gap to see if it fixes the issue, but I would like to correct it permanently.

The hosts are VMs, and to my understanding virbr0 is there should the host act as a hypervisor. Because we are not creating any VMs from these hosts, this interface should be redundant. Is there a way to NOT have interfaces.sh monitor the virbr0 interface? Below are the errors I am receiving. Thank you.

04-21-2020 08:38:52.939 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0/duplex: Invalid argument
04-21-2020 08:38:52.951 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0/speed: Invalid argument
04-21-2020 08:38:52.955 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0-nic/duplex: Invalid argument
04-21-2020 08:38:52.964 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0-nic/speed: Invalid argument

0 Karma
1 Solution

PavelP
Motivator

Hi @mysicksi ,

there are several solutions, you can modify the interfaces.sh script by adding "grep -v virbr0" to this line:

        # Customizing the command to support customer's requirement
        CMD_LIST_UP_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"

BUT, this change will be overwritten if you upgrade the Splunk_TA_nix

I would exclude virbr0 on the splunk side in a search.

View solution in original post

0 Karma

PavelP
Motivator

Hi @mysicksi ,

there are several solutions, you can modify the interfaces.sh script by adding "grep -v virbr0" to this line:

        # Customizing the command to support customer's requirement
        CMD_LIST_UP_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"

BUT, this change will be overwritten if you upgrade the Splunk_TA_nix

I would exclude virbr0 on the splunk side in a search.

0 Karma

mysicksi
Path Finder

Hi @PaveIP,

Due to Splunk supports suggestion to correct this ERROR, I followed your first solution and edited the interfaces.sh file. This has worked and I am no longer receiving the error on the Linux machine. Thank you for your help!

0 Karma

mysicksi
Path Finder

I should add that although I disabled the interfaces.sh on the deployment server, I am still receiving the error.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...