topic How do I change the user Splunk runs as? in Security

How do I change the user Splunk runs as?

Bill_B — Sat, 31 Jan 2015 00:37:40 GMT

I have installed Splunk 6.0.4 as a root user on Linux 64bit RH 6.4. However, now I would like to change the user Splunk runs as to a non-root user. Is this possible and how would it be done?

-Thanks!

Re: How do I change the user Splunk runs as?

sanjay_shrestha — Sat, 31 Jan 2015 00:41:51 GMT

You can use:
chown -R group:user SPLUNK_HOME

Re: How do I change the user Splunk runs as?

ChrisG — Sat, 31 Jan 2015 00:44:37 GMT

This is documented in the Installation Manual topic, Run Splunk Enterprise as a different or non-root user.

Re: How do I change the user Splunk runs as?

Bill_B — Mon, 02 Feb 2015 18:46:22 GMT

Yes. Documentation says, "before you start Splunk Enterprise for the first time, change the ownership of the $SPLUNK_HOME directory to the desired user."
But Splunk was started as root-user and has been running as root-user. So will the "chown" command work after Splunk was started and running as root-user?

Re: How do I change the user Splunk runs as?

malmoore — Mon, 02 Feb 2015 20:37:30 GMT

Hi, this particular stipulation predates my time here.

The fast fix is to reinstall Splunk and reindex.

That said, I have performed chowns on existing Splunk installations that have initially been started and run as root without issue.

You might need to perform the chown multiple times before it takes, and it's possible that a chown -R from the top of the directory won't always take. I think this is why the stipulation exists.

Re: How do I change the user Splunk runs as?

Bill_B — Mon, 02 Feb 2015 21:39:33 GMT

Thank you all for your input.

Re: How do I change the user Splunk runs as?

joelby — Mon, 04 Jan 2016 22:55:42 GMT

I eventually used strace to figure out how Splunk was determining the user to run as. Have a look in $SPLUNK_HOME/etc/splunk-launch.conf - there's a SPLUNK_OS_USER= configuration option, which you'll probably want to set to the user that owns the files.

Re: How do I change the user Splunk runs as?

esix_splunk — Tue, 05 Jan 2016 03:33:34 GMT

There are two basic things that need to happen here

1) Change the ownership, recursively, of the splunk_home to the new user : chown -R newuser:newgroup /opt/splunk

2) Change the user Splunk starts as. You can do this by editing the launch.conf, or more easily with

$splunk_home$/bin/splunk enable boot-start -user newuser

Change newuser to the new username.

Re: How do I change the user Splunk runs as?

Marc785 — Thu, 15 Sep 2016 04:31:13 GMT

Hi!

What has worked for me, especially when I would run into permission issues early in my splunking career, is to follow the steps listed above, but then add the following touches (assuming splunk is the user you want to use):

sudo $SPLUNK_HOME/bin/splunk stop (no need to have splunkd cling to files/process that retain the previous ownership)

sudo su splunk

sudo chown -R splunk:splunk /opt/splunk(or where ever splunk is installed)

sudo $SPLUNK_HOME/bin/splunk start

Let splunk run through it's initialization process and BAM! Splunk is running as the new user, all of the ownership should be changed recursively throughout the file structure, and you've removed the need to reindex data or run chown multiple times. Hopefully this works with the same magical flair for you as it has for me. But you have shout "Bam!" with an exaggerated motion or else you break the magic. 🙂 happy splunking, my friend.