Posted on May 16, 2014 12:16 pm
 |  Asked by Thomas Thomas
 |  9258 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hello

Is there, or will there be, support for the Splunk Forwarder in vEOS?

I tried but got this:

vEOS1#copy https://www.arista.com/support/download/Extensions/Splunk/arista-splunk-extension.swix extension:
Copy completed successfully.
vEOS1#extension arista-splunk-extension.swix
% Failed to install extension 'arista-splunk-extension.swix':
Installation failed: Unsupported format

Cheers/Thomas

0
Posted by Andrei Dvornic
Answered on May 16, 2014 12:21 pm

Hi Thomas,

How much RAM are you starting the VM with? Can you bump it up to 2G and try again (I am assuming that you are using less than that)?

Thanks,
Andrei

0
Posted by Thomas Thomas
Answered on May 16, 2014 12:35 pm

Hi Andrei

I had 2G and according to VM Ware I was using the lot. I bumped it up to 4G, same exact result on the extension. VMWare now says I am using 1,84G of my 4G memory.

 

Cheers/Thomas

 

0
Posted by Andrei Dvornic
Answered on May 16, 2014 12:38 pm

Can you please attach the output of ”ls -la” and ”md5sum” for the swix file? Would be great if you could also confirm where you downloaded the extension from.

Thanks,
Andrei

0
Posted by Thomas Thomas
Answered on May 16, 2014 12:56 pm

Hi Andrei

 

In what directory does the swix file land when I copy it to Extension?

I used the link from the Arista website and put it in the copy command from the instruction document:

 

copy https://www.arista.com/support/download/Extensions/Splunk/arista-splunk-extension.swix extension:

 

Cheers/Thomas

0
Posted by Andrei Dvornic
Answered on May 16, 2014 2:38 pm

I looked into this and unfortunately it looks like this is related to some recent updates we made to http://www.arista.com. While we are working on updating the instructions on the website (for Splunk), can you please try the following:

0
Posted by Thomas Thomas
Answered on May 19, 2014 7:56 am

Hi Andrei

 

OK, I downloaded the new swix  and copied it to the switch flash (using ftp because my regular lab server does not support scp), copied from flash to extension and activated the extension.

 

vEOS1#sh extensions
Name Version/Release Status RPMs
—————————————— ————————- —— —-
arista-splunk-extension.swix 0.95/1498976.2013ltdsplun A, I 2
splunkforwarder-5.0.3-163460.i386.rpm 5.0.3/163460 A, I 1

A: available | NA: not available | I: installed | NI: not installed | F: forced
vEOS1#

 

That looks fine, does it not?

 

I tried to look at the config for splunk forwarder. The tab completion works, sh spl becomes sh splunk-forwarder. However, when I hit return:

 

vEOS1#sh splunk-forwarder
Splunk Forwarder Extension:
Arista EOS Splunk Extension: 0.95 (SplunkForwarder-0.95-1498976.2013ltdsplunkforwarder.8.i686)
Splunk Universal Forwarder: splunkforwarder-5.0.3-163460.i386

The Splunk Universal Forwarder is not installed.

To download and install the Splunk Universal forwarder rpm go to
http://www.splunk.com in a web browser and download the splnk universal
forwarder for linux rpm and install it on the switch, or download
and install it on your Arista switch using the following commands:
switch# copy http://download.splunk.com/releases/5.0.3/universalforwarder/linux/splunkforwarder-5.0.3-163460.i386.rpm extension:
switch# extension splunkforwarder-5.0.3-163460.i386.rpm
switch# copy installed-extensions boot-extensions

If you have downloaded the Splunk Universal Forwarder but
not yet installed it, install it using the following commands:
switch# extension splunkforwarder-5.0.3-163460.i386.rpm
switch# copy installed-extensions boot-extensions

vEOS1#

 

What am I missing?

 

Cheers/Thomas

 

 

0
Posted by Lincoln
Answered on May 19, 2014 2:55 pm

Indeed, this looks like that the file is corrupt and/or an incorrect size.

Suggest downloading it and installing it again.  Its too late to just bump up the VM RAM size if it was already too small and if you’ve gone through some ’no extension’ / ’extension’ iteration(s) then something else we found was that Splunk doesn’t set its directory permissions correct on the ’rpm erase’ operation triggered from ’no extension’ so in the middle also do this:

switch# bash sudo chmod -R 777 /opt/splunkforwarder

as a quick hack.

0
Posted by Steven King
Answered on June 20, 2014 4:41 pm

If you notice there is a line or two at startup saying that it needs to be started with the ./splunk start command.  However, what I experienced was when I dropped into bash and tried to CD into the folder (/opt/splunkforwarder) I got a permission denied.  I did a sudo chmod 777 on the folder and then I was able to start it and the show splunk-forwarder command provided status output.

0
Posted by eniz aksoy
Answered on December 22, 2016 2:49 pm

Hi All ;

There is no command on my switch for splunk forwarder 

What will be the problem .

 sw1#sh splunk-forwarder
% Invalid input

sw1(config)#sp?
spanning-tree

 

sw1#sho extensions
Name Version/Release Status extension
—————————————— ————————- —— —-
AristaAppForSplunk-1.3.1.swix 1.3.1/1.fc18 A, I 3
splunkforwarder-5.0.3-163460.i386.rpm 5.0.3/163460 A, I 1

====

Device has  4 GB ram

======

 

sw1#sho version
Arista vEOS
Hardware version:
Serial number:
System MAC address: 000c.2995.e8a7

Software image version: 4.17.2F
Architecture: i386
Internal build version: 4.17.2F-3696283.4172F
Internal build ID: c6362f13-ae6d-4c88-b5fd-4678d66018ab

Uptime: 8 minutes
Total memory: 3886848 kB
Free memory: 2585788 kB

sw1#

 

Thanks

0
Answered on December 27, 2016 5:50 pm

Hi Eniz,

 

What are the steps did you use to load and install the extensions? Did you reload the CLI?

 

Thanks

0
Posted by eniz aksoy
Answered on December 28, 2016 7:44 am

ok need to logout and login to see commands.

thanks

0
Posted by eniz aksoy
Answered on December 28, 2016 7:13 pm

Hi Again ;

I have configured splunk forwarder on arista and install apps for arista on splunk .

But splunk gives error message like this  “ERROR: unable to connect to eAPI” and nothing shows except 

syslog messages .What could be the problem ?

 

Sw2#sho splunk-forwarder
Splunk Forwarder Extension:
Arista EOS Splunk Extension: 1.3.1
Splunk Universal Forwarder: 5.0.3

Administrative Status: enabled
Operational Status: (VRF: default): running
Index Set: default

eAPI Client Configuration:
Username: pualaman
Password: Set
Protocol: http
Port: 443
Enable Password: Not Set

Indexers Configured:
192.168.154.1:9997

SSL configuration:
For Splunk Server : 192.168.154.1:9997
SSL Root CA: None
SSL Server Certificate: None
SSL Password: Not Set
SSL Common Name To Check: None
SSL Verify Server: Not Set

Items to index: (max-data-rate is 256 Kbps)
Switch Inventory: enabled (1h 0s intervals)
Sflow: enabled (1m 0s intervals)
Topology Information: enabled (1h 0s intervals)
Interface Statistics: enabled (1m 0s intervals)
Latency Analyzer (LANZ): disabled
Syslog: enabled

Also added splunk screen as atachment

 

 

thanks

Attachments:
0
Answered on January 11, 2017 6:29 pm

Hi Eniz,

From your show command output , it looks like you have set http to be used as your protocol. For this you’d have to Cchange your port to 80.

Command – #http-commands port 80

Also make sure you have enabled http from management api.

switch#conf

switch(conf)# management api http-commands

switch(config-mgmt-api-http-cmds)#protocol http port 80

Thanks,

Sakti

Post your Answer

You must be logged in to post an answer.