Warning Message: Search peer XXX.XXX.X.XXX has the following message: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reports by the InstalledFileHashChecker in splunkd.log File Integrity Check View : potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. Learn more.
This message let us know that something is edited in default files of Splunk instance. To solve this issue, we need to retrieve original version of files.
Warning Message Snip:
1. If you click on the link “File Integrity Check View” which is in warning message itself of” Splunk instance A”, it will give the files name list that differs from their original version.
2. Alternate way to check the file with integrity issue, is to run the following command on” Splunk instance A” with integrity issue. It will give the files name list which differs from their original version.
/opt/splunk/bin/splunk validate files
Below are the results showing Integrity issue is with README FILE in deployment-apps, it shows file is missing which throws file integrity warning.
Solution: Steps to be followed to remove Integrity issue warning: –
1.Need to copy README file from any other instance (Instance B) in your network and paste it in Instance with file integrity issue.
Note: Consider a splunk instance to copy README file (Edited file) , only if its installation date is same as of instance with integrity warning message .Here we have considered “Instance B” to copy original version of README and also Instance B should not have any integrity issue in itself. As for both the instances System/Default files will be having same creation date so they can replace each other in original versions.
2. Go to “Instance B” and check for README in Deployment-apps as required.
3. To copy that file from that server. Will use scp command.
4. In scp command IP mentioned is of ” Splunk instance A” with integrity issue and where you need to copy file.
5. –p is used to preserve installation date, so that same old date will preserve and get copied , it we don’t use this attribute date will get updated as per current and hence default files will get deviate from its original version creating integrity issue.
scp -p README email@example.com:/opt/splunk/etc/deployment-apps
6. Go to destination host ” Splunk instance A” and check README file .
7. Restart” Splunk instance A” server.
8. The warning message will get removed from the GUI.
If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉