Getting Data In

Why is Splunk UF not able to send log from Solaris sparc OS?

Jaki001
Explorer

Dears

I have installed  splunk UF V8.1.3 on Solaris sparc server V11.5.we are not getting any log from those servers apart from _internal logs.
we did below checks.

1.connection fine- telnet happening connected

2.splunkd log -connected to hf and refusing in few seconds.

3.directory path is fine in input.conf file.

4.nothing found in HF audit log.

5.checked firewall logs showing server rest and client reset.

6.debug log collected and share with support team no root cause found.

Can you please help on this? 

What could be the issue? Is there any configuration need to modified?

BR,

Jakir

Labels (1)
0 Karma

Jaki001
Explorer

Hello @gcusello ,

Is there any way to find out UF is facing a permission issue while reading the logs?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jaki001,

you have to check the read permissions on the file to read for group and others, in this way you will know if the user you're using to run Splunk is enabled to read the files, if not, you have three ways:

  • to change the user you're using to run Splunk (I don't like this solution but it's the easier),
  • to change the group of the user you're using to run Splunkadding the same group of the files to read,
  • to change the rights on the files adding read grants (4) to others.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Check from splunkd.log if there is something. Another easy way is just login to splunk user (what ever it is in your environment) and then try to look those file with tail -5 <file>. If you can see it's content then that user has access to this file.

r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @Jaki001,

if you're receiving Splunk internal logs, the connection is OK, so you have to debug the inputs.

At first check if the user that you're using to run Splunk (on Forwarder) has the grants to read the files to monitor.

Then you can see the splunkd logs on the forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log or on Splunk running a search on _internal to see what's the problem.

Usually the problem are the grants.

If you continue to have problems, you can open a Case to Splunk Support, because your platform is in the compatible list https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements (only for Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...