- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Unix and Linux - interfaces.sh E...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I was working with Splunk's support on an issue with my previous post. They suggested the first step should be to correct the error seen in splunkd.log with interfaces.sh seeing a virbr0 interface on my CentOS machines. I temporarily disabled interfaces.sh as a stop-gap to see if it fixes the issue, but I would like to correct it permanently.
The hosts are VMs, and to my understanding virbr0 is there should the host act as a hypervisor. Because we are not creating any VMs from these hosts, this interface should be redundant. Is there a way to NOT have interfaces.sh monitor the virbr0 interface? Below are the errors I am receiving. Thank you.
04-21-2020 08:38:52.939 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0/duplex: Invalid argument
04-21-2020 08:38:52.951 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0/speed: Invalid argument
04-21-2020 08:38:52.955 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0-nic/duplex: Invalid argument
04-21-2020 08:38:52.964 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/virbr0-nic/speed: Invalid argument
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mysicksi ,
there are several solutions, you can modify the interfaces.sh script by adding "grep -v virbr0" to this line:
# Customizing the command to support customer's requirement
CMD_LIST_UP_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
BUT, this change will be overwritten if you upgrade the Splunk_TA_nix
I would exclude virbr0 on the splunk side in a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mysicksi ,
there are several solutions, you can modify the interfaces.sh script by adding "grep -v virbr0" to this line:
# Customizing the command to support customer's requirement
CMD_LIST_UP_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
BUT, this change will be overwritten if you upgrade the Splunk_TA_nix
I would exclude virbr0 on the splunk side in a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PaveIP,
Due to Splunk supports suggestion to correct this ERROR, I followed your first solution and edited the interfaces.sh file. This has worked and I am no longer receiving the error on the Linux machine. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should add that although I disabled the interfaces.sh on the deployment server, I am still receiving the error.
Splunk Security Content for Threat Detection & Response, Q1 Roundup
Splunk Life | Happy Pride Month!
SplunkTrust | Where Are They Now - Michael Uschmann
