Security

After upgrading to Splunk 6.5, why am I unable to log in?

smakovits
Explorer

Was running 6.4.x without issue for weeks. Decided to upgrade to 6.5, after install, and now I can no longer access Splunk.

When accessing the Splunk server URL, the address changes to:

https://myserver:8000/en-US/account/login?return_to=%2Fen-US%2F

The page is blank and I am not prompted for UserID and Password.

0 Karma

swong_splunk
Splunk Employee
Splunk Employee

I had a customer with the same issue. They are on Windows environment.

From the web_service.log error:133 - Masking the original 404 message: ‘The path ‘/en-US/static/@C07E38B2C61DCE7D4C565937648843078F1F9808DDC3298053487F8B847B84A3/build/css/bootstrap-enterprise.css’ was not found.' with ‘Page not found!’ for security reason

Turns out remove this app Microsoft Office 365 Reporting Add-on for Splunk (TA-MS_O365_Reporting) resolved the issue

0 Karma

smakovits
Explorer

I am running this instance on Windows and I had to reset some permissions and eventually things came back online. Back at the start of November when this happened I messed with folder security and ran a repair. Specifically what fixed it I do not recall, but i know it didnt like something with one of the folders.

I believe in the end I force updated the entire folder structure permissions to get things online again.

I can report that i just went to 6.5.1 and it had no such issue, so it is not clear what 6.5 did.

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

The error message about page not found looks like a consequence or the real pb, doesn't tell the root cause.
Can you :
as splunk :
/opt/splunk/bin/splunk stop
ps aux | grep splunk to check it's really stopped
as root
chown -R splunk:splunk /opt/splunk
/opt/splunk/bin/splunk enable boot-start -user splunk
chown -R splunk:splunk /opt/splunk (yes again)
as splunk
/opt/splunk/bin/splunk start
/opt/splunk/bin/splunk login
does it work ?
if not check splunkd.log
if yes, try to login with browser (FX or Chrome to start with)
if in error, check splunkd.log for the first error message after splunk start

0 Karma

ronnietheengine
New Member

Yes i did your commands but nothing changed.
The only thing change is my web port was 80 but i cannot give again as 80 so i was forced to change the port as 7070.
I searched the log could not find anything about the problem.

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

So your splunk used to run as root if you could use port 80
you can forward the port 80 to your port 7070 with iptables nat command
Are you on 6.5 or 6.5.1 ? if the former try 6.5.1 ?
other things I would look in is to temporarily disable selinux just in case it is the one preventig splunk to read it's files
then if not that's probably environmental so I guess you should do a splunk diag and sent it to support so they can help you sort this out.

0 Karma

ronnietheengine
New Member

Yeah already sent diag logs
Thank You

0 Karma

goodsellt
Contributor

Have you checked the permissions of the /opt/splunk folder on your install? If those look good, check the permissions of the objects in /opt/splunk/etc/auth and especially make sure splunk_secret is set to read only.

From those error logs you posted it looks like the server cannot find the pages internally, sounds most likely due to a permissions issue or security mismatch of some kind, though it's believable that the upgrade install may have broken the paths. What OS are you running Splunk on?

0 Karma

ronnietheengine
New Member

My Server is Centos 6.6 and i have these logs

[5846c00d8bb5b4750c] error:138 - Masking the original 404 message: 'The path '/en-US/static/@E230EE12390B8DE91C6B7CF5D5C7CC0FCF9BACDB96EEFD8A39BD94B9607B3E50/build/css/bootstrap-enterprise.css' was not found.' with 'Page not found!' for security reason

Web_service log
127.0.0.1 - - [06/Dec/2016:16:46:18.812 +0200] "GET /en-US/static/@E230EE12390B8DE91C6B7CF5D5C7CC0FCF9BACDB96EEFD8A39BD94B9607B3E50/build/pages/enterprise/account.js HTTP/1.1" 404 3158 "http://172.26.0.205/en-US/account/login?return_to=%2Fen-US%2Fapp%2Flauncher%2Fhome" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0" - 5846c12acfb5b8eecc 4ms 
0 Karma

ronnietheengine
New Member

And the permissions look like these;
-r-------- 1 splunk splunk 255 Aug 29 2012 splunk.secret
drwx------ 6 splunk splunk 4096 Dec 6 15:25 auth

0 Karma

ronnietheengine
New Member

We also have same problem.Any Updates?

0 Karma

smakovits
Explorer
2016-11-03 09:24:11,007 INFO    [581b3a7b00fa77dedba8] decorators:363 - require_login - no splunkd sessionKey variable set; cherrypy_session=0ba7867df50418e24478e9822ccfa10e56646aa2 request_path=/en-US/
2016-11-03 09:24:11,007 INFO    [581b3a7b00fa77dedba8] decorators:384 - require_login - redirecting to login
2016-11-03 09:24:11,499 INFO    [581b3a7b7cfa77ded438] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/css/bootstrap-enterprise.css' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:11,546 INFO    [581b3a7b84fa77ded9e8] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/js/i18n.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:11,551 INFO    [581b3a7b85fa77e250f0] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/pages/enterprise/common.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:11,551 INFO    [581b3a7b85fa77e25208] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/pages/enterprise/account.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:11,568 INFO    [581b3a7b8ffa77dedb38] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/pages/enterprise/account.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:16,122 INFO    [581b3a801dfa77ded9e8] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/css/bootstrap-enterprise.css' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:16,428 INFO    [581b3a8063fa77ded6d8] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/js/i18n.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:16,428 INFO    [581b3a8063fa77e32240] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/pages/enterprise/common.js' was not found.' with 'Page not found!' for security reasons
2016-11-03 09:24:16,430 INFO    [581b3a8064fa77e32160] error:138 - Masking the original 404 message: 'The path '/en-US/static/@02E046AB149829BCBA669025F6BF0A1462C97FF999C33E1997531404F814356C/build/pages/enterprise/account.js' was not found.' with 'Page not found!' for security reasons
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...