Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting "WARN AuthorizationManager - Unknown role" errors in splunkd.log after deleting the VMware and Windows Infrastructure apps?

bravon
Communicator
‎03-04-2015 02:53 AM

After removing the Windows Infrastructure and VMWare applications, we get the following errors in splunkd.log:

WARN AuthorizationManager - Unknown role 'winfra-admin'
WARN AuthorizationManager - Unknown role 'splunk_vmware_admin'

I can't seem to find where the old (deleted/removed) roles are referenced - can someone point me in the right direction?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

bravon
Communicator
‎03-04-2015 02:59 AM

After reading http://answers.splunk.com/answers/205496/how-to-troubleshoot-unknown-role-warnings-for-ess.html i found a reference in etc\system\local\authorize.conf

View solution in original post

Reply
Solved! Jump to solution

azurite257
Explorer
‎06-02-2016 06:46 AM

It's not the authorized.conf. ess_user, ess_admin, ess_analysts would have been additional roles associated with admin account or other users defined local to the splunk (i.e. if you are using LDAP, then only system accounts that should be defined would have been admin).

Look at the $SPLUNK_HOME/etc/passwd. remove the roles associated that is no-longer existing on that splunk instance. That should get rid of the errors in the log.

:admin:$$::Administrator:admin;ess_admin;ess_analyst:changeme@example.com::

In above example, remove the entries ';ess_admin;ess_analyst' and save. Restart splunk, and error will be gone.

Reply
Solved! Jump to solution
Solution

bravon
Communicator
‎03-04-2015 02:59 AM

After reading http://answers.splunk.com/answers/205496/how-to-troubleshoot-unknown-role-warnings-for-ess.html i found a reference in etc\system\local\authorize.conf

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...