Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

File etc/users/users.ini presenting integrity check failures

performancemoni
Path Finder
‎03-20-2020 09:09 AM

Hello,

We have a weird warning on the integrity of the file etc/users/users.ini, if we look at the file, it contains:

[contains-uppercase]
user@domain> =user@domain_.5ec8143af5fe7888fddd625f69d704b3

It might have occured when we created a user and made a mistake with their username, we used their email address as username but we forgot to remove the ">" at the end. But anyway, now we have this stanza with this entry and a warning on file integrity.

We deleted the user and recreated it with the correct username "user@domain". The file is still the same... We checked on other Splunk instances where we don't have the integrity problem and the file users.ini is always empty. So we tried to remove the stanza from the file to make the file empty but when we restart splunk it tells us that the file is missing a stanza...

In the end we re-added the content of the file, just in case, to not have an error on restart. This file doesn't seem to have an impact on Splunk (?), but how can we remove or fix this integrity warning ?

Thank you for your help

0 Karma
Reply

woodcock
Esteemed Legend
‎03-21-2020 01:56 PM

Open a support case for sure and post back here what happens.

0 Karma
Reply

PavelP
Motivator
‎03-21-2020 02:54 AM

check the manifest file and post the output of this command:

grep users.ini $SPLUNK_HOME/splunk*manifest

check file ownership and permissions of users.ini and users.ini.default files:

ls -l $SPLUNK_HOME/etc/users/users.ini*

check logs for related warnings and errors:

grep users.ini $SPLUNK_HOME/var/log/splunk/*log
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...