Splunk Enterprise

"File Integrity checks found 1 files that did not match the system-provided manifest. See splunkd.log for details."

brent_weaver
Builder

I have no idea where this message is coming from. I see the subject message in the WebUI but when I restart splunk it tells me all is OK. Here is the output from a restart:

[dev]root@ip-10-94-18-55:/opt/splunk/etc/users:#/opt/splunk/bin/splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.............                                              [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.

Splunk> Needle. Haystack. Found.

Checking prerequisites...
    Checking http port [8000]: open
    Checking mgmt port [8089]: open
    Checking appserver port [127.0.0.1:8065]: open
    Checking kvstore port [8191]: open
    Checking configuration...  Done.
    Checking critical directories...    Done
    Checking indexes...
        Validated: _audit _internal _introspection _telemetry _thefishbucket aws_anomaly_detection aws_topology_daily_snapshot aws_topology_history aws_topology_monthly_snapshot aws_topology_playback aws_vpc_flow_logs history main summary
    Done


Bypassing local license checks since this instance is configured with a remote license master.

    Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [ui] in /opt/splunk/etc/apps/SA-ge_splunk_health/local/app.conf, line 12: version  (value:  1.0).
        Invalid key in stanza [calendar_heatmap] in /opt/splunk/etc/apps/calendar_heatmap_app/default/visualizations.conf, line 6: supports_drilldown  (value:  True).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
                                                           [  OK  ]

Waiting for web server at https://127.0.0.1:8000 to be available................. Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://ip-10-94-18-55:8000

I ran the REST API call to https://10.94.18.55:8089/services/server/status/installed-file-integrity and it tells me that the file /opt/splunk/etc/users/users.ini has been modified. What am I missing here?

ANy help is MUCH apprecaietd as this is very annoying.

Tags (1)
0 Karma

darrenfuller
Contributor

on my Splunk 6.5.1 Linux box, users.ini is empty:

0 -r--r--r--. 1 splunk splunk   0 Nov 18  2016 users.ini
0 Karma

darrenfuller
Contributor

go to a fresh Splunk instance, copy /opt/splunk/etc/users/users.ini from the fresh instance to yours, be sure to keep the file modified times ... restart.

this will go away

brent_weaver
Builder

WHen I do this splunk complains about the missing [contrains-uppercase] section. So unfort this did not work.

[contains-uppercase]
212631038" = 212631038_.7c4b2bdd6b5f9690f1813a7ab9d6e76a
212611170" = 212611170_.d3b52ce6b4e8fdfbf8ec32f6d9f015ba
0 Karma

darrenfuller
Contributor

same version/edition of Splunk on both?

0 Karma

darrenfuller
Contributor

(and which version/OS are we talking about?

0 Karma

xisura
Communicator

did you edit some files under the default folders ?

0 Karma

brent_weaver
Builder

The file is /opt/splunk/etc/users/users.ini that it is complaining about.

0 Karma

brent_weaver
Builder

I would never do that, so no.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...