I am getting inconsistent issues when running the streamfwd on CentOS 7.x
On the Deployment server some data is captured, i.e. Stream Estimate shows statistics
The heavy forwarders, which are generally setup the same way, do not produce any data
Setup:
- CentOS 7.1 Systems cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core)
- Splunk Enterprise 6.5 on Deployment Server and 2 Heavy forwarders
- Splunk is running with the user splunk:splunk, not root
Step 1: Installing Splunk Stream on the Deploymentserver, go to app directory ./set_permissions
Step 2: Deploy App, go to forwarders, ./set_permission
Now the deployment server and forwarders should set up the same way.
But on the forwarder I get the following message
`SnifferReactor failed to open pcap adapter for device . Error message:`
When the forwarder is run as root, which is not an option long term, then it works the same
I first thought the permissions might be not set correctly as
`splunk 4212 0.5 1.7 631520 68836 ? Ssl 17:42 0:00 /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd`
actually calls a reference of the rhel5 version on the Deployment server
`lrwxrwxrwx. 1 splunk splunk 15 Nov 25 17:29 streamfwd -> streamfwd-rhel5`
`-rwxr-xr-x. 1 splunk splunk 47M Nov 5 07:28 streamfwd-rhel5`
`-rws--x--x. 1 root splunk 48M Nov 5 07:28 streamfwd-rhel6`
On the forwarder it actually calls a binary instead, which is identical to rhel5
`-rwxr-xr-x. 1 splunk splunk 47M Nov 25 19:00 streamfwd`
`-rwxr-xr-x. 1 splunk splunk 47M Nov 25 19:00 streamfwd-rhel5`
`-rws--x--x. 1 root splunk 48M Nov 25 19:00 streamfwd-rhel6`
This might be because the deployment app is set up like this and it deploys the referenced binary instead of the link
`lrwxrwxrwx. 1 splunk splunk 15 Nov 25 17:29 streamfwd -> streamfwd-rhel5`
But this does neither to explain
- why are the permissions "fixed" for rhel6 when rhel5 is actually called?
- why does it work on the deployment server but not on the heavy forwarder?
↧