topic Re: Splunk cannot read messages logs in Security

Splunk cannot read messages logs

hartfoml — Thu, 18 Jul 2013 18:13:15 GMT

I have my indexer and search-head installed on RHES and splunkd is not running as root. I can see that the /var/log/messages and other logs are not accessible by the user that is running splunkd. I would like to collect system logs from my indexers and search-head without giving the splunkd Damon root access.

Any suggestions?

Re: Splunk cannot read messages logs

linu1988 — Thu, 18 Jul 2013 18:28:28 GMT

i don't think splunk needs root access to read logs. If you are using monitor stanza it should read it..

Re: Splunk cannot read messages logs

Ayn — Thu, 18 Jul 2013 18:30:42 GMT

Disagree with previous comment - generally permissions are set so that non-administrative users cannot read most stuff in /var/log.

Re: Splunk cannot read messages logs

grijhwani — Thu, 18 Jul 2013 19:58:18 GMT

Adding splunk to the syslog group will most likely give it access to your principal system logs, but not everything. Another option is to make the logs world-readable. A third option is to create a new group altogether, ensure that all your logs are written under and readable by that group, and add the splunk user to this group instead.

Finally, to help you with all your syslog configuration needs you could install syslog-ng, which is a highly flexible replacement for the stock syslogd service, which allows vastly greater control over the output files created by syslog.

Re: Splunk cannot read messages logs

hartfoml — Thu, 18 Jul 2013 20:01:06 GMT

Thanks much

Re: Splunk cannot read messages logs

hartfoml — Thu, 18 Jul 2013 20:20:03 GMT

Grijhwani,

Only three questions and yet 29 answers. you are my hero!!!