인덱서 서비스 등록. init 서비스로 등록된다.
[root@Splunk splunk]# bin/splunk enable boot-start Init script installed at /etc/init.d/splunk. Init script is configured to run at boot. [root@Splunk splunk]# [root@Splunk splunk]# ls /etc/init.d/ functions netconsole network README splunk sshd | cs |
[root@Splunk splunkforwarder]# bin/splunk enable boot-start Initd script /etc/init.d/splunk exists. splunk is currently enabled as init.d bootstart service. Please run "splunk disable boot-start" first to disable it as init.d boot-start service | cs |
포워더 서비스 먼저 등록. systemd 서비스로 등록된다.
[root@Splunk splunk]# bin/splunk disable boot-start Disabled. [root@Splunk splunk]# ls /etc/init.d/ functions netconsole network README sshd [root@Splunk splunk]# cd ../splunkforwarder [root@Splunk splunkforwarder]# bin/splunk enable boot-start splunk is currently running, please stop it before running enable/disable boot-start [root@Splunk splunkforwarder]# systemctl list-unit-files|grep Splunk SplunkForwarder.service enabled | cs |
이후 인덱서를 다시 등록하면 둘 다 서비스 등록 가능. 그런데 인덱서 먼저 실행 후 포워더 실행을 시도하면 실패.
[root@Splunk splunkforwarder]# service SplunkForwarder status Redirecting to /bin/systemctl status SplunkForwarder.service ● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled) Active: failed (Result: start-limit) since Wed 2025-07-16 08:18:41 KST; 1s ago Process: 8568 ExecStart=/opt/splunkforwarder/bin/splunk _internal_launch_under_systemd (code=exited, status=1/FAILURE) Process: 8566 ExecStartPre=/bin/bash -c chown -R splunkfwd:splunkfwd /opt/splunkforwarder (code=exited, status=0/SUCCESS) Main PID: 8568 (code=exited, status=1/FAILURE) Jul 16 18:18:41 Splunk systemd[1]: SplunkForwarder.service: main process exited, code=e...URE Jul 16 18:18:41 Splunk systemd[1]: Unit SplunkForwarder.service entered failed state. Jul 16 18:18:41 Splunk systemd[1]: SplunkForwarder.service failed. Jul 16 18:18:41 Splunk systemd[1]: SplunkForwarder.service holdoff time over, schedulin...rt. Jul 16 18:18:41 Splunk systemd[1]: start request repeated too quickly for SplunkForward...ice Jul 16 18:18:41 Splunk systemd[1]: Failed to start Systemd service file for Splunk, gen...t'. Jul 16 18:18:41 Splunk systemd[1]: Unit SplunkForwarder.service entered failed state. Jul 16 18:18:41 Splunk systemd[1]: SplunkForwarder.service failed. Hint: Some lines were ellipsized, use -l to show in full. | cs |
명령어를 직접 실행해보면 관리 포트 충돌이 원인임을 알 수 있다.
[root@Splunk splunkforwarder]# bin/splunk start Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunkfwd:splunkfwd /opt/splunkforwarder" Splunk> Take the sh out of IT. Checking prerequisites... Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: | cs |
포워더를 먼저 실행하면?
[root@Splunk splunkforwarder]# service SplunkForwarder start Redirecting to /bin/systemctl start SplunkForwarder.service [root@Splunk splunkforwarder]# service SplunkForwarder status Redirecting to /bin/systemctl status SplunkForwarder.service ● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2025-07-16 08:29:37 KST; 1min 45s ago Process: 10185 ExecStartPre=/bin/bash -c chown -R splunkfwd:splunkfwd /opt/splunkforwarder (code=exited, status=0/SUCCESS) Main PID: 10187 (splunkd) CGroup: /system.slice/SplunkForwarder.service ├─10187 splunkd --under-systemd --systemd-delegate=no -p 8089 _internal_launch_... └─10214 [splunkd pid=10187] splunkd --under-systemd --systemd-delegate=no -p 80... Jul 16 18:29:37 Splunk systemd[1]: Started Systemd service file for Splunk, generated b...t'. Jul 16 18:29:38 Splunk splunk[10187]: Warning: Attempting to revert the SPLUNK_HOME ownership Jul 16 18:29:38 Splunk splunk[10187]: Warning: Executing "chown -R splunkfwd:splunkfwd ...er" Jul 16 18:29:38 Splunk splunk[10187]: Checking mgmt port [8089]: open Jul 16 18:29:38 Splunk splunk[10187]: Checking conf files for problems... Jul 16 18:29:38 Splunk splunk[10187]: Done Jul 16 18:29:38 Splunk splunk[10187]: Checking default conf files for edits... Jul 16 18:29:38 Splunk splunk[10187]: Validating installed files against hashes from '/...st' Jul 16 18:29:39 Splunk splunk[10187]: PYTHONHTTPSVERIFY is set to 0 in splunk-launch.co...ity Jul 16 18:29:39 Splunk splunk[10187]: 2025-07-16 08:29:39.156 +0900 splunkd started (bu...187 Hint: Some lines were ellipsized, use -l to show in full. | cs |
이후 인덱서를 실행하면 둘 다 잘 실행된다. 포트 충돌 어떻게 해결한거지?
[root@Splunk ~]# ps -u root|grep splunk 10480 ? 00:01:50 splunkd 10485 ? 00:00:01 splunkd 10787 ? 00:00:10 splunkd 11122 ? 00:00:04 splunkd 11123 ? 00:00:00 splunkd 12073 ? 00:00:02 splunkd 12074 ? 00:00:00 splunkd [root@Splunk ~]# ps -u splunkfwd PID TTY TIME CMD 10187 ? 00:00:04 splunkd 10214 ? 00:00:00 splunkd | cs |
확인해보니 관리 포트는 나중에 실행된 인덱서만 사용한다. 포워더에서 배포 서버 설정 안 하면 관리 포트 필요없는 건가?
[root@Splunk ~]# lsof -i:8089 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME splunkd 10480 root 4u IPv4 55367 0t0 TCP *:8089 (LISTEN) splunkd 10480 root 186u IPv4 278298 0t0 TCP localhost:8089->localhost:42114 (ESTABLISHED) agent-man 10963 root 8u IPv4 278297 0t0 TCP localhost:42114->localhost:8089 (ESTABLISHED) | cs |
centos7이 init와 systemd를 같이 사용하는 과도기라서 그런지 뭔가 어수선하다. 어차피 같이 쓸 일 없으니 뭐(..)
관련 글
댓글 없음:
댓글 쓰기