https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/323022#M4570 <P>Hi,</P> <P>my splunk is running as splunk user on a linux system where the admin has secured the OS by using hidepid=1 on /proc (see <A href="https://ubuntuforums.org/showthread.php?t=2173093">https://ubuntuforums.org/showthread.php?t=2173093</A> and <A href="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">https://www.kernel.org/doc/Documentation/filesystems/proc.txt</A>) </P> <P>As a consequence, splunkd.log is filled with these error messages : <BR /> ERROR IntrospectionGenerator:resource_usage - RU - Fail to readlink(2) /proc/nnnn/exe: Operation not permitted where nnnn is a pid from a process not run by splunk<BR /> This is repeated for each pid so generate a lot of noise.</P> <P>I would like to tell Introspection to only look at it's own pid in that case or not produce error message for this.</P> <P>Any idea how to do this ?</P> Wed, 31 May 2017 09:14:18 GMT maraman_splunk 2017-05-31T09:14:18Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/323022#M4570 <P>Hi,</P> <P>my splunk is running as splunk user on a linux system where the admin has secured the OS by using hidepid=1 on /proc (see <A href="https://ubuntuforums.org/showthread.php?t=2173093">https://ubuntuforums.org/showthread.php?t=2173093</A> and <A href="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">https://www.kernel.org/doc/Documentation/filesystems/proc.txt</A>) </P> <P>As a consequence, splunkd.log is filled with these error messages : <BR /> ERROR IntrospectionGenerator:resource_usage - RU - Fail to readlink(2) /proc/nnnn/exe: Operation not permitted where nnnn is a pid from a process not run by splunk<BR /> This is repeated for each pid so generate a lot of noise.</P> <P>I would like to tell Introspection to only look at it's own pid in that case or not produce error message for this.</P> <P>Any idea how to do this ?</P> Wed, 31 May 2017 09:14:18 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/323022#M4570 maraman_splunk 2017-05-31T09:14:18Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/323023#M4571 <P>As a workaround, I completely disabled the generator for resource usage <BR /> in server.conf</P> <PRE><CODE>[introspection:generator:resource_usage] disabled=true </CODE></PRE> <P>this stop the error message flood but that will also disable all related stats in the monitoring console....</P> Wed, 31 May 2017 09:24:27 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/323023#M4571 maraman_splunk 2017-05-31T09:24:27Z https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/534967#M4572 <P>Hi,</P><P>you can also add the splunk group gid to the fstab ($ id splunk_user) :<BR /><SPAN>proc /proc proc rw,nosuid,nodev,noexec,relatime,</SPAN><STRONG>gid=&lt;splunk_gid&gt;</STRONG><SPAN>,hidepid=1 0 0</SPAN></P><P>According to man proc :</P><PRE> <STRONG>gid</STRONG>=<I>gid</I> (since Linux 3.3) Specifies the ID of a group whose members are authorized to learn process information otherwise prohibited by <STRONG>hidepid </STRONG>(i.e., users in this group behave as though <I>/proc</I> was mounted with <I>hidepid=0</I>). This group should be used instead of approaches such as putting nonroot users into the <A href="https://man7.org/linux/man-pages/man5/sudoers.5.html" target="_blank">sudoers(5)</A> file.</PRE><P>&nbsp;</P> Wed, 06 Jan 2021 15:26:34 GMT https://community.splunk.com/t5/Splunk-Dev/How-do-I-prevent-Introspection-Generator-to-read-information/m-p/534967#M4572 ipfyx 2021-01-06T15:26:34Z