Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Facing Issue with Forwarder version 9.4.0 in sending logs to server

malimahesh25
Engager
‎03-03-2025 05:19 AM

Hi team, 

I am unable to send logs to server by using "splunk add monitor <filename>" command with forwarder version 9.4.0
Splunk is running as root user. add monitor command is asking for credentials. And the inputs.conf file is not getting updated with the log file name that is added to monitor.

sudo splunk add monitor Test.log
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R root:root /opt/splunkforwarder"
Splunk username:
Password:
Login failed


Tested with forwarder version 9.0.0 and it worked. That time also it asked for credentials but inputs.conf got updated and logs sent to server without providing the credentials.

I want to send logs to server using forwarder 9.4.0

What changes should I do to make it work. Please suggest...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎03-03-2025 05:27 AM

Hi @malimahesh25 

Firstly, I just want to mention that it is generally not advised to run Splunk as root. 

Regarding your issue - the reason that the inputs.conf is not being updated is that the authentication to Splunk failed. Do you know your Splunk credentials for the forwarder? This is the Splunk admin auth user, NOT the system user credentials.

If you do not know the password then you can reset it by following these steps:

Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
USERNAME = admin
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Restart Splunk

After restarting Splunk you should now be able to run the command, logging in with the new credentials.

For more info see https://docs.splunk.com/Documentation/Splunk/9.4.0/admin/User-seedconf

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎03-03-2025 05:27 AM

Hi @malimahesh25 

Firstly, I just want to mention that it is generally not advised to run Splunk as root. 

Regarding your issue - the reason that the inputs.conf is not being updated is that the authentication to Splunk failed. Do you know your Splunk credentials for the forwarder? This is the Splunk admin auth user, NOT the system user credentials.

If you do not know the password then you can reset it by following these steps:

Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
USERNAME = admin
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Restart Splunk

After restarting Splunk you should now be able to run the command, logging in with the new credentials.

For more info see https://docs.splunk.com/Documentation/Splunk/9.4.0/admin/User-seedconf

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-03-2025 12:08 PM

Another proposal, don’t use cli to add inputs. That install those under SPLUNK_HOME/etc/system/local. If/when you are taking DS into use you must manually move/update those node by node.
You should always use separate apps where you are putting those definitions. That way it’s really easy to update those later on and also add same configuration to other nodes too as every log sources have their own app.

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
OSZAR »