While the REST API of the forwarder is not configured to allow POST requests until the password is changed on versions prior to 7.1.0, changing the password is still recommended. Starting at 7.1.0, the forwarders required either a user-seed file or manual input of the password during first-time run. *Nix - dateTimeCorrect.sh Update local user password on Splunk Forwarders (primary installations before 7.1.0)įorwarders deployed before version 7.1.0 didn't require the admin password be changed upon installation. Please see the above documentation link for instructions for other Splunk instances. NOTE: This should only be used on Universal Forwarders. This app contains scripts for Windows and Linux forwarders that will back up the existing "datetime.xml" to replace with the corrected version contained within the app. It is preferable to simply upgrade Splunk versions (Splunk Enterprise or Splunk Universal Forwarder) that already has this fix in place.Ī notice was sent out in November of 2019 that stated there was an issue with the datetime.xml that would affect data ingested due to a misconfigured datetime.xml. This method is also not the safest method to update this file and should not be used. The scripts that performed this action have been retired. *Nix - regenGUID.sh Install updated datetime.xml file (REMOVED) Upon restarting, a new GUID will be generated. This app contains scripts for Windows and Linux forwarders that will move the existing "instance.cfg" to become a backup and restart the forwarder. While this doesn't affect how a forwarder performs its duties, unique GUIDs ensures if hosts have the same name they are still uniquely identifiable for troubleshooting purposes. *Nix - hostCorrect.sh Regenerate forwarder GUIDĪnother by-product of the previous use-case is forwarder GUIDs all being the same. The scripts are designed to only change what is needed and leave the rest of the files unchanged. This app contains scripts for Windows and Linux forwarders that will determine if correction is necessary in the local "nf" and "nf" and correct them. This usually happens when an image template isn't properly maintained after a forwarder has been embedded in it. Many times we've come across an environment where hundreds of forwarders are reporting with the same name and forwarder GUID. *Nix - dsRemove.sh Correct inputs/server host name configurations Once the proper app and deployment server configurations are deployed to the host(s) using the deploymentServerUri and deploymentClientApp configurations in nf, this app will remove all configurations that would prevent those configurations for working. This allows for that configuration to only be controlled via the deployment server from that point forward. This app contains scripts for Windows and Linux forwarders that will remove local configurations of "nf" in favor of a configuration that has been deployed from the deployment server. These configurations may last for a while and cause issues down the road like if a new deployment server is stood up or an IP address changes. Remove local deployment server configurationsĮarly in a deployment of Splunk, local configurations could be used while getting familiar with how Splunk works. Changing the default password (Version Inputs and server host name configurations."$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\pwchange.ps1" "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\dsRemove.ps1" "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\hostCorrect.ps1" "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\regenGUID.ps1" "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\restart.ps1"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |