Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the Universal Forwarder reporting the wrong IP to Deployment Server?

JDukeSplunk
Builder
‎04-28-2017 08:58 AM

I have about 6 hosts that are reporting their IP address to my deployment server incorrectly.
They are running Universal Forwarder 6.5.2.

alt text

They all show up as the same 172.22.254.250 address.

I have checked the local /etc/hosts on the forwarder systems themselves. I have checked ifconfig on those hosts to confirm that they don't have some weird binding. I checked the deployment server /etc/hosts and can ping them all correctly by their actual 10.214.3.X IP address. I also checked the /SPLUNKHOME/etc/system/local/server.conf file. Nada.

Any ideas?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎05-17-2017 08:43 AM

Thank you everyone for your feedback. On a whim I deleted the record for one host from the deployment server, and when it phoned home again it had the correct IP. Keep it simple. Odd that it did that in the first place.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎05-17-2017 08:43 AM

Thank you everyone for your feedback. On a whim I deleted the record for one host from the deployment server, and when it phoned home again it had the correct IP. Keep it simple. Odd that it did that in the first place.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-29-2017 09:16 AM

What is in the forwarders deploymentclient.conf?

 /opt/splunk/bin/splunk btool deploymentclient list --debug

My hunch is that you've got a load balancer in front of the deployment server and this is the "backend" ip of the VIP that the forwarders are using to commicate with your deployment server.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-29-2017 07:45 AM

My hunch would be that these forwarders all traverse a NAT interface.

Can you try a traceroute from the UF to the DS?

Like wrangler said, I believe the DS is mapping the host to the IP that their phone home was received from, and if the traffic is natted behind a router or firewall (or VIP like jkat suggrsted) then they would all be calling from the same IP

- MattyMo
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-28-2017 02:24 PM

Let's find out if the hostname is consistent on the forwarder's environment. To my knowledge, Splunk does not store the IP address anywhere in its .config files.

Look first in $SPLUNK_HOME/etc/system/local/server.conf, for the [general] stanza. There may be a line like this:

serverName = hostname

You'd expect that to be correct if it is there.

Next take a look at $SPLUNK_HOME/var/log/splunk/splunkd.log (copy it off somewhere or edit it with vi -R)

Searching from the bottom up, find the line INFO loader - Splunkd starting. The next line down will be INFO loader - System info: and the hostname that Splunk thinks it is will be there.

INFO  ServerConfig - My GUID is 5AEF640C-24F3-4A8A-AD4C-08227E9C4FE5
INFO  ServerConfig - My server name is "hostname".
INFO  ServerConfig - Found no site defined in server.conf
INFO  ServerConfig - My hostname is "hostname".
[snippage]
INFO  ServerConfig - Using REMOTE_SERVER_NAME=hostname

All these hostnames should be what you'd expect on that forwarder. If not, that's a clue something is wrong somewhere.

And then look for lines like this:

INFO  HttpPubSubConnection - SSL connection with id: connection_xxx.xxx.xxx.xxx_8089_hostname_5AEF640C-24F3-4A8A-AD4C-08227E9C4FE5

The 5AEF640C-24F3-4A8A-AD4C-08227E9C4FE5 string is the GUID you saw earlier in the logs (it will be different on your system. And again here you should see the hostname you expect, and the IP that you expect.

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-28-2017 11:12 AM

Does this give you the same results, or differerent (IP address-wise)?

index=_internal source=*metrics.log* group=tcpin_connections  NOT eventType=connect_close NOT eventType=connect_done
| table hostname sourceIp arch fwdType os version
| dedup sourceIp
| where NOT sourceHost=sourceIp
0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎04-28-2017 11:31 AM

Thanks Wrangler
Since all 6 of the hosts are reporting as the same wrong IP (See the picture) the dedup command only shows me one now. What I really need help with isn't the search so much as why these forwarders are reporting the wrong address. I edited the question to better reflect that.

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-28-2017 01:44 PM

The Splunk forwarder does not store the hosts IP address anywhere in its configs that I am aware of. Take a look at $SPLUNK_HOME/var/log/splunk/splunkd.log and search for

INFO HttpPubSubConnection - SSL connection with id: connection

The whole thing will look something like this:

04-26-2017 16:04:32.212 INFO HttpPubSubConnection - SSL connection with id: connection_xxx.xxx.xxx.xxx_8089_hostname_5AEF640C-24F3-4A8A-AD4C-08227E9C4FE5

where xxx.xxx.xxx.xxx is the IP address the forwarder thinks it is, and hostname is the hostname it thinks it is. How does this IP address compare to what is in your search results?

Now also look for INFO loader - System info. This is in the same log file right after an entry that says Splunkd starting. On that line will be the type of system and the hostname Splunk thinks it is.

A little ways further in the logs you will find a line that says INFO ServerConfig - My GUID is and thee string that follows that is what is used at the end of those HttpPubSubConnection - SSL connection entries like the one I showed, above.

Then you'll see three more lines

04-26-2017 13:11:55.781 -0700 INFO ServerConfig - My server name is "hostname".
04-26-2017 13:11:55.781 -0700 INFO ServerConfig - Found no site defined in server.conf
04-26-2017 13:11:55.781 -0700 INFO ServerConfig - My hostname is "hostname".

Then a bit further look for

04-26-2017 13:11:55.785 -0700 INFO ServerConfig - Using REMOTE_SERVER_NAME=hostname

All of these hostnames should match.

Take a look also at $SPLUNK_HOME/etc/system/local/server.conf

There should be a stanza there called [general] which has
servername = hostname

If your finding something out of line in any of these, that'd be a clue.

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-28-2017 01:41 PM

I just left a long comment but when I submitted it, it disappeared, so I going to retype it and leave it as an answer, though it really isn't one. About the search, changed the dedup to hostname

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...