I just got done deploying Splunk 6, and it turns out that the couple of inputs I had using this plugin are now broken.
One of the scripts being used calls out to another server via SSH and formats the output like this:
Ready,100
Not Ready,54
After the upgrade, the indexed output looks like:
ssh: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by ssh)
ssh: /opt/splunk/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.0' not found (required by ssh)
Ready,
Not Ready,
Further, the "Command" option under Inputs is no longer there, meaning I can no longer configure this source.
Any idea what I need to do in order to fix this?
You're going to have to do a workaround by changing your external commands. You can change the call to ssh if you're using bash from:
ssh abc defg hijk
to
LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH ssh abc defg hijk
if you're using Linux, to make sure the OS checks the default system path before it the Splunk path. If you have multiple calls to ssh or other commands that use openssl shared libraries, you can instead just export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH
at the top of your script instead.
thx @richardgalloway I've added that to the list
halr9000, see my existing question at http://answers.splunk.com/answers/105439/no-port_scan-data
@richgalloway can you open a new question on that and include error messages? I'm collecting issues now and am opening an internal bug.
Thanks Gerald.
Also to add....
The Command Modular Input not showing up is due to a bug caused by the DB Connect app that causes all Modular Inputs , although they are installed and working fine, to not show up in the Manager UI. You can still browse to the Mod Input setup manually.
http://YOURSPLUNKHOST:8000/en-US/manager/launcher/data/inputs/command
This bug is currently being fixed.
Wish I could accept two answers for this one - thanks!
You're going to have to do a workaround by changing your external commands. You can change the call to ssh if you're using bash from:
ssh abc defg hijk
to
LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH ssh abc defg hijk
if you're using Linux, to make sure the OS checks the default system path before it the Splunk path. If you have multiple calls to ssh or other commands that use openssl shared libraries, you can instead just export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH
at the top of your script instead.
Is there a reason you wouldn't rather do
unset LD_LIBRARY_PATH
instead?
On MacOS, the relevant variable is DYLD_LIBRARY_PATH
and on HP-UX it's SHLIB_PATH
and on AIX it's LIBPATH
.
I'm having a similar problem with the Asset Discovery app. It appears Splunk 6 does not come with the right OpenSSL library.