topic Scripted Input permissions and execution troubleshooting in Splunk Enterprise

Scripted Input permissions and execution troubleshooting

raynold_peterso — Thu, 23 Jul 2020 15:41:32 GMT

Hello all,

I think I need help on this one....

We have a standalone windows system which is our indexer, management and deployment server. In the field, we have several flavors of devices running universal forwarders, i.e. Windows, Linux, Solaris, etc.

I am working on a directory monitor which will allow me to see what files are in a directory and report is one is missing or the like.

To test this, I created a scripted input to gather the contents of the directory and forward it to the indexer.

inputs.conf ###### Scripted Input to monitor directory files [script://./bin/dircontents.sh] disabled = 0 interval = 60 sourcetype = Script:dircontents.sh index = filewatch

props.conf [Script:dircontents.sh] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) MAX_EVENTS = 10000 TRUNCATE = 0 DATETIME_CONFIG = CURRENT

dircontents.sh cd /u01/DeticaHome/UI/data/acquisition/waiting ls | sort

With those config files, I deploy the app without issue, but when the script runs I get the following;

index=_internal 07-23-2020 09:30:47.841 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh" /bin/sh: /opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh: cannot execute

It appears the permissions of the script are not correct. I checked and the deploy script, dircontents.sh, permissions are 655 at deployment. I changed the permissions to 755 manually and the script took off and started working, but this was a manual intervention which is not optimal.

The Universal forwarder was installed and running as root.

To get this right, I need 755 permissions of the script fo the scripted input.

What have I missed? Any insight would be great at this point.

Thanks in advance,

Rcp

Re: Scripted Input permissions and execution troubleshooting

richgalloway — Thu, 23 Jul 2020 17:12:06 GMT

If the .sh file has 755 permissions on the DS then that should be retained on the UFs.
Are you aware of the risks of running the UF as root?

Re: Scripted Input permissions and execution troubleshooting

raynold_peterso — Thu, 23 Jul 2020 18:12:54 GMT

The DS is a windows system and you can not set execute permissions on windows files. Once it gets deployed the UF gives it a 655 permission set. How do I get around that?

Re: Scripted Input permissions and execution troubleshooting

isoutamo — Thu, 23 Jul 2020 19:16:38 GMT

if I recall right you cannot use Windows DS for Linux/Unix (other than Windows) UF. Vice versa it’s ok.

You must switch your DS to Linux server to deploy all needed environments.

R. Ismo

Re: Scripted Input permissions and execution troubleshooting

richgalloway — Thu, 23 Jul 2020 19:23:15 GMT

Ah. This is critical information. Running a DS on Windows is a known problem because of this very reason. Can you stand up a Linux box to run the DS on?

Re: Scripted Input permissions and execution troubleshooting

raynold_peterso — Thu, 23 Jul 2020 19:37:02 GMT

So,

LinuxDS -> WindowsUF=OK
LinuxDS->SolarisUF=OK
WindowsDS -> WindowsUF = OK
WindowsDS-> SolarisUF = BAD
WindowsDS-> LinuxUF = BAD.

Is this what I am to understand?

Well, that is rather unfortunate. I'll start seeing what I can do to spin up a Linux system.

Let me know if I am off base.

Re: Scripted Input permissions and execution troubleshooting

isoutamo — Thu, 23 Jul 2020 19:38:48 GMT

That’s correct!

Re: Scripted Input permissions and execution troubleshooting

raynold_peterso — Thu, 23 Jul 2020 19:56:00 GMT

I have kicked off the process and should have a AWS Linux system up soon. I'll install splunk enterprise and configure it as my deployment server.

Thanks for all the help.

Re: Scripted Input permissions and execution troubleshooting

isoutamo — Thu, 23 Jul 2020 20:02:51 GMT

Nice to hear that. As case is solved you should accept the solution so other can see it later on when they had same issue.

Re: Scripted Input permissions and execution troubleshooting

shocko — Tue, 27 Sep 2022 12:06:09 GMT

What mechanism does this though? Linux would not create a a file with X set. The UF though might though add that permissions afterwards I'd imagine.