topic Re: What is the access/account type needed for splunk user in linux to use universal fowarder? in Security

What is the access/account type needed for splunk user in linux to use universal fowarder?

dban2005 — Thu, 18 Jan 2018 23:26:47 GMT

I have few linux servers reporting to a splunk indexer. While installing the UF on the linux servers, the splunk user has been created automatically and we are running the splunk service using that splunk user. As it created the splunk user with home directory as /opt/splunkforwarder, we need to maintain it for security reason. Can someone please advise in which of the following category this UF splunk user should considered?

Category a: user with ssh shell access
Category b: user with scp/sftp access
Category c: access with su to non-root users
Category d: access with su to root

I do not think I can categorized with any of the above. If not, then how I can define the splunk user with respect to the linux servers where the UF has been installed.

Re: What is the access/account type needed for splunk user in linux to use universal fowarder?

nickhills — Fri, 19 Jan 2018 13:52:57 GMT

By default the splunk user will not have any remote access to your server, and will have no sudo/root access.

It is by design a "standard" non privileged user.

Re: What is the access/account type needed for splunk user in linux to use universal fowarder?

dban2005 — Tue, 27 Mar 2018 19:20:11 GMT

Thanks for your respond; created a category 0 to accommodate the requirement.