This topic lists known issues that are specific to the universal forwarder. For information on fixed issues, see Fixed issues.
Universal forwarder issues
|Date filed||Issue number||Description|
|2023-02-22||SPL-236429||Universal forwarder download for PPCLE kernel 3.0+ is unavailable for version 9.0.2, 9.0.3, 9.0.4|
|2022-10-25||SPL-232028, SPL-236165, SPL-236166||Windows Defender logs stop being forwarded but other Winevent logs continue to forward until UF is restarted|
Restart the UF
|2022-08-17||SPL-228646, SPL-228645||Restart is needed when AWS access key pairs rotate (w/o grace period) or other S3 config settings for Ingest Actions become invalid|
|2022-06-23||SPL-226019||Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.|
|2022-06-06||SPL-225379||Ownership of files mentioned in manifest file is splunk:splunk instead of root:root after enabling boot start as root user for initd|
When changing UF user, manually chown SPLUNK_HOME to the new user, including first time install/upgrade, or manually enable boot-start.
|2022-05-16||SPL-224264, SPL-224265||Splunk UF not starting on Debian 11 (x86_64 and arm64)|
|2022-05-13||SPL-224167||Splunk UF for CentOS-7 (ARM64) is not available|
UF for CentOS7 ARM 64 will be available in the 9.0.1 maintenance release.
|2020-11-09||SPL-197140, SPL-234386||UF failed to start on Solaris 11.3 with error: "symbol in6addr_any: referenced symbol not found"|
1. Do not upgrade past Splunk 8.0.5 on Solaris 11.3
2. Upgrade to Solaris 11.4
|2017-03-14||SPL-138731||New 6.6 and later default SHA256/2048-bit key certificates are not compatible with previous versions SHA1/1024-bit key certificates if cert verification is enabled|
Users can do any of the following:
1. Disable certificate verification - the same root certificate is available with every Splunk download so enabling certificate verification while using the default certificates provides very little additional security.
2. Generate new SHA256/2048-bit key certificates using the new 6.6 root certificate and distribute to older versions of Splunk
3. Generate SHA1/1024-bit key certificates using the old root certificate to use with your new 6.6 instance. For convenience, the old root certificate is included in 6.6 in $SPLUNK_HOME/etc/auth/prev_release/
Troubleshoot the universal forwarder
This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.4