Latest Updates

random

Handling Integrity Warning in Splunk Environment

Splunk Integrity Warning: Our Splunk environment is having file Integrity issue thus Search head” Splunk instance A” is showing integrity warning.
Integrity issue occurs when some system default file gets edited. To be noted for Splunk we must not edit our system default files, and keep files as per their original version.

Warning Message: Search peer XXX.XXX.X.XXX has the following message: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reports by the InstalledFileHashChecker in splunkd.log File Integrity Check View : potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. Learn more.

This message let us know that something is edited in default files of Splunk instance. To solve this issue, we need to retrieve original version of files.

Warning Message Snip:


Debugging
1. If you click on the link “File Integrity Check View” which is in warning message itself of” Splunk instance A”, it will give the files name list that differs from their original version.
2. Alternate way to check the file with integrity issue, is to run the following command on” Splunk instance A” with integrity issue. It will give the files name list which differs from their original version.
            /opt/splunk/bin/splunk validate files 
Below are the results showing  Integrity issue is with README FILE in deployment-apps, it shows file is missing which throws file integrity warning.


Solution: Steps to be followed to remove Integrity issue warning: -

1.Need to copy README file from any other instance (Instance B) in your network and paste it in Instance with file integrity issue.
Note: Consider a splunk instance to copy README file (Edited file) , only if its installation date is same as of instance with integrity warning message .Here we have considered “Instance B” to copy original version of README and also Instance B should not have any integrity issue in itself.  As for both the instances System/Default files will be having same creation date so they can replace each other in original versions.
2. Go to “Instance B” and check for README in Deployment-apps as required. 

3. To copy that file from that server. Will use scp command.

4. In scp command IP mentioned is of   ” Splunk instance A” with integrity issue and where you need to copy file.

5. –p is used to preserve installation date, so that same old date will preserve and get copied , it we don’t use this attribute date will get updated as per current  and hence default files will get deviate from its original version creating integrity issue.
scp -p README splunk@192.168.0.163:/opt/splunk/etc/deployment-apps


6. Go to destination host ” Splunk instance A”  and check README file .


7. Restart” Splunk instance A” server.
/opt/splunk/bin/splunk restart

8. The warning message will get removed from the GUI.

If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don't Forget to Follow us on πŸ‘ Social Networks, happy Splunking >πŸ˜‰
Handling Integrity Warning in Splunk Environment Reviewed by Avotrix.Author on Monday, February 10, 2020 Rating: 5

No comments:

All Rights Reserved by Avotrix © 2018 - 2019
Developed and created by Avotrix

Contact Form

Name

Email *

Message *

Powered by Blogger.