topic Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root? in Security

How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

michael_lee — Thu, 21 Jan 2016 01:13:05 GMT

I find that I encountered more problems running splunk instances as the user splunk than using root. When I use splunk to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root to start Splunk instance, then everything works. So, should I be running Splunk instance with root or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.

Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

MuS — Thu, 21 Jan 2016 02:15:06 GMT

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

michael_lee — Thu, 21 Jan 2016 02:33:50 GMT

thanks. so what should be running on port 800? is port 800 in your example a service?

Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

MuS — Thu, 21 Jan 2016 02:37:57 GMT

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800.

Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

esix_splunk — Thu, 21 Jan 2016 04:26:55 GMT

As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.

In cases where you want to use ports < 1024, you will need root or super user level access to do this.

Re: How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

MuS — Fri, 22 Jan 2016 00:11:40 GMT

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs