topic Re: How to change permissions on Splunk log files? in Security

How to change permissions on Splunk log files?

dshakespeare_sp — Thu, 22 Jan 2015 13:32:17 GMT

I have a need to monitor splunk logs with other applications, therefore I would like to change all (existing and newly created ones) splunk logs' permission from 600(rw- --- ---) to 604(rw- --- r--).
Is there a good way to accomplish this ?

This needs to work for all files, both new and existing.
I have tried setting "umask" etc, but nothing I have tried seems to work.

Any Ideas?

Re: How to change permissions on Splunk log files?

dshakespeare_sp — Thu, 22 Jan 2015 13:42:38 GMT

As this only affects the $SPLUNK_HOME/var/log files the following has worked for some customers

"splunk stop"
chmod -R 604 <$SPLUNK_HOME/var/log/splunk> (change existing file)
setfacl -Rmd:other:r <$SPLUNK_HOME/var/log> (set ACLs on directory so all new files are created 604)
"splunk start"

Re: How to change permissions on Splunk log files?

jmackie — Mon, 28 May 2018 05:19:49 GMT

If Splunk's official response to this is 'use setfacl' and not "we should be obeying the umask set for the user Splunk runs as", that's pretty awful from a system administrators point of view.