9. Troubleshooting a Splunk Installation

Troubleshooting

Linux

Starting or Stopping the Splunk Server

If you installed Splunk in the recommended directory, use the following command:

$SPLUNK_HOME/bin/splunk start

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk restart

If automatic startup (init scripts) were installed, the following commands can be used:

service splunk stop

service splunk start

service splunk restart

You Have Installed and Started Splunk But You Cannot See the Web Interface

The web interface runs on port 8000. You should be able to go to localhost:8000. If that's not working correctly, then something else is preventing it.

Check the following:

1. For IPtables

a. To check:

sudo iptables -L

b. To remove:

sudo iptables -F

Note A more appropriate solution would be to add “iptables” rules to all of the following:

inbound port 8000 HTTP TCP

inbound port 2055 UDP

c. Removing rules this way will not survive a reboot. If you want to permanently remove the rules, run the following command:

/sbin/service iptables save

4. For SELinux (CentOS, and Red Hat)

a. To check:

cat /selinux/enforce

b. If a 1 is returned, it's enabled.

c. To disable it:

echo 0 > /selinux/enforce

d. To permanently disable SELinux, edit the following file:

/etc/selinux/config

e. Change the line to this:

SELINUX=disabled

Verify Inbound Data

To change the Ethernet interface:

sudo tcpdump -i eth0 port 2055

If you see any traffic coming through with this filter, your firewall is properly sending data to Splunk.

Check for Your Data

Run this search. If you see any traffic coming through, you are properly receiving data.

index=sonicwall tid=257

Still Not Getting Data Back from the Index

The predefined SonicWALL index was installed when the application shipped. The path to that file is located at /cannery/splunk/sonicwall. You might not have that path defined in your file system so it will not work. You need to edit a file. STOP the server before editing the following file:

/opt/splunk/etc/apps/splunk_dell_firewalls/local/indexes.conf

Change the current location of this file to the location where you want the index to be written. All applications that do not have the location defined will need to be configured manually.

Some Dashboards Do Not Work

You can open and modify Dashboard searches and then save them as preferred searches.

tid=257 | chart ....

index=sonicwall tid=257 | chart ....

Note If you discover any of the following situations, contact support at splunk_help@sonicwall.com.

Empty CSV Lookup for "sonicwall_hostnames"

$C:\eaa47fe74fe915de004d0619d80d1f31$

At installation, you will need to go to and manually edit this file and add the firewall IP and its hostname (your choice). The instructions can be found in step 8.