Solved: Re: splunkforwarder 9.1.2 crashes on FreeBSD 14.0

patpro · ‎12-18-2023

Hello,

I’ve upgraded my FreeBSD server from 13.2-RELEASE to 14.0-RELEASE. Now, Splunk forwarder crashes when I try to start it.

I made a clean install of the latest Splunk forwarder: same result.

Any hint appreciated.

pid 8593 (splunkd), jid 0, uid 0: exited on signal 11 (no core dump - too large)
pid 8605 (splunkd), jid 0, uid 0: exited on signal 11 (no core dump - too large)

edit: last lines of ktrace output

 11099 splunkd  NAMI  "/opt/splunkforwarder/etc/system/default/authentication.conf"
 11099 splunkd  RET   open 3
 11099 splunkd  CALL  fstat(0x3,0x82352cf30)
 11099 splunkd  STRU  struct stat {dev=10246920463185163261, ino=219, mode=0100600, nlink=1, uid=1009, gid=1009, rdev=18446744073709551615, atime=0, mtime=1699928544, ctime=1702914937.560528000, birthtime=1699928544, size=1301, blksize=4096, blocks=9, flags=0x800 }
 11099 splunkd  RET   fstat 0
 11099 splunkd  CALL  read(0x3,0x35c8bc0,0x1000)
 11099 splunkd  GIO   fd 3 read 1301 bytes
       "#   Version 9.1.2
	# DO NOT EDIT THIS FILE!
	# Changes to default files will be lost on update and are difficult to
	…/…
	enablePasswordHistory = false
	passwordHistoryCount = 24
	constantLoginTime = 0
	verboseLoginFailMsg = true
	
       "
 11099 splunkd  RET   read 1301/0x515
 11099 splunkd  CALL  read(0x3,0x35c8bc0,0x1000)
 11099 splunkd  GIO   fd 3 read 0 bytes
       ""
 11099 splunkd  RET   read 0
 11099 splunkd  CALL  close(0x3)
 11099 splunkd  RET   close 0
 11099 splunkd  PSIG  SIGSEGV SIG_DFL code=SEGV_MAPERR
 11084 splunk   RET   wait4 11099/0x2b5b
 11084 splunk   CALL  write(0x2,0x820c56800,0x2a)
 11084 splunk   GIO   fd 2 wrote 42 bytes
       "ERROR: pid 11099 terminated with signal 11"
 11084 splunk   RET   write 42/0x2a
 11084 splunk   CALL  write(0x2,0x825106cf7,0x1)
 11084 splunk   GIO   fd 2 wrote 1 byte
       "
       "
 11084 splunk   RET   write 1
 11084 splunk   CALL  exit(0x8)

patpro · ‎02-21-2024

For anyone wanting to push the idea of FreeBSD 14 support, this is where it can be done:

https://ideas.splunk.com/ideas/SFXIMMID-I-583

Feel free to spend up to 10 votes!

Thanks a lot for your support and for spreading the word 🙂

View solution in original post

patpro · ‎02-21-2024

For anyone wanting to push the idea of FreeBSD 14 support, this is where it can be done:

https://ideas.splunk.com/ideas/SFXIMMID-I-583

Feel free to spend up to 10 votes!

Thanks a lot for your support and for spreading the word 🙂

jotne · ‎02-21-2024

At the same time ask PFSense to port its firewall to Ubuntu or other Linux distro.

Yorokobi · ‎01-05-2024

FreeBSD 11 is the only supported version for the 9.1.2 universal forwarder.

https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/Systemrequirements#Unix_operating_sy...

patpro · ‎01-07-2024

OK, I get your point but it works perfectly with FreeBSD 13.x and more importantly FreeBSD 11 itself has been «EOLed» 2 years and 3 months ago. So either Splunk has officially pushed new software for years for an unsupported OS, or they just didn’t bother to update the doc.

When they deprecated support for licensed products (ie full Splunk Enterprise) on FreeBSD, they documented that with proper warning. I see nothing about deprecating the Universal Forwarder package on FreeBSD…

splunkforwarder 9.1.2 crashes on FreeBSD 14.0

universal forwarder

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...