topic Re: How to Run Universal Forwarder 9.1 as Root? in Splunk Enterprise

How to Run Universal Forwarder 9.1 as Root?

restinlinux — Fri, 07 Oct 2022 14:26:10 GMT

I have changed the permissions of ownership

chown -R root:root/opt/splunkforwarder

After that, I started Splunk as root user, but after that was finished, the owner:group reverted back to splunk:splunk, respectively. The same situation persists even after restarting Splunk and restarting the OS.

Why its revert back to splunk:splunk

Wanted to operate with root:root as the owner:group under /opt/splunkforwarder.

https://docs.splunk.com/Documentation/Splunk/9.0.1/ReleaseNotes/KnownIssues#Universal_forwarder_issues

Re: Want to Run Universal Forwarder 9.1 as Root

richgalloway — Fri, 07 Oct 2022 14:21:09 GMT

Check the initd or systemctl script to make sure it's not changing the file ownership. If that doesn't help then contact support and ask for assistance with the documented issue.

Re: How to Run Universal Forwarder 9.1 as Root?

bapun18 — Fri, 07 Oct 2022 14:46:07 GMT

use splunk-launch.conf under $splunkHome/etc/
use below

SPLUNK_HOME=/opt/splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#
# SPLUNK_DB=/home/build/build-home/ember/var/lib/splunk

# Splunkd daemon name

# Splunkweb daemon name
SPLUNK_WEB_NAME=splunkweb

# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER
SPLUNK_SERVER_NAME=Splunkd

then you can use sudo systemctl start/stop/status Splunkd

Re: How to Run Universal Forwarder 9.1 as Root?

bapun18 — Fri, 07 Oct 2022 14:48:16 GMT

post changing this you can also use sudo /splunkhome/bin/splunk start/status/stop etc
helps, please accept the solution and karma would be appreciated.

Re: How to Run Universal Forwarder 9.1 as Root?

PickleRick — Fri, 07 Oct 2022 14:59:36 GMT

But have you enabled the boot start with the root user or splunk user or what? Did you use initd or systemd? (the known issue you point to says about initd but is it really so?).

Re: How to Run Universal Forwarder 9.1 as Root?

bapun18 — Fri, 07 Oct 2022 15:26:20 GMT

@PickleRick wrote:
But have you enabled the boot start with the root user or splunk user or what? Did you use initd or systemd? (the known issue you point to says about initd but is it really so?).

You can use systemd

Re: How to Run Universal Forwarder 9.1 as Root?

PickleRick — Fri, 07 Oct 2022 16:40:37 GMT

I know you can. The question is how it was configured in this case.

Re: How to Run Universal Forwarder 9.1 as Root?

isoutamo — Fri, 07 Oct 2022 18:38:28 GMT

have you try this? https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installleastprivileged

Why you want to run it as a root? In security point of view it’s a bad practice and there is no reason for it to get read any files.

r. Ismo

Re: How to Run Universal Forwarder 9.1 as Root?

PickleRick — Sat, 08 Oct 2022 09:10:40 GMT

From the POLP point of view, of course the UF should run with user having finely tuned set of permissions allowing it to only access specific files and so on.

But let's be realistic - it's often easier to run it with just root or LOCAL_SYSTEM (that's how it installs in Windows, BTW) so you don't have to pull your hair out trying to get it to read all necessary inputs and not to break your users/groups.