<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk access to RHEL audit.log in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750612#M119254</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261132"&gt;@ewok&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Splunk &lt;STRONG&gt;Enterprise&lt;/STRONG&gt; systemd unit (splunkd.service) is &lt;STRONG&gt;not&lt;/STRONG&gt; shipped with the same AmbientCapabilities=CAP_DAC_READ_SEARCH line that the &lt;STRONG&gt;Universal Forwarder&lt;/STRONG&gt; package adds to its own unit (SplunkForwarder.service).&lt;BR /&gt;That line gives the UF process the Linux capability to bypass discretionary access controls (DAC) and read files such as /var/log/audit/audit.log even when the file is mode 0600 and owned by root.&lt;BR /&gt;Enterprise installs simply omit that stanza, so splunkd runs with the default capability set and cannot open the audit log unless you relax the permissions or run Splunk as root (both STIG-failures).&lt;/P&gt;&lt;P&gt;You can alter this behaviour for Splunk Enterprise (Full install) by editing the splunkd.service file:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Create the override directory (run as root):&lt;PRE&gt;systemctl edit splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Add theAmbientCapabilities:&lt;PRE&gt;[Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Reload systemd and restart Splunk:&lt;PRE&gt;systemctl daemon-reload
   systemctl restart splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;After the restart the running splunkd&amp;nbsp;should have the same capability that the UF has and can read /var/log/audit/audit.log without touching file permissions or adding ACLs.&lt;/P&gt;&lt;P&gt;The override should not be overwritten with Splunk package upgrades, but always verify after an upgrade that its still in place.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
    <pubDate>Tue, 29 Jul 2025 06:19:23 GMT</pubDate>
    <dc:creator>livehybrid</dc:creator>
    <dc:date>2025-07-29T06:19:23Z</dc:date>
    <item>
      <title>Splunk access to RHEL audit.log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750604#M119252</link>
      <description>&lt;P&gt;Running Splunk 9.3.5 on RHEL 8.&amp;nbsp; STIG hardened environment.&amp;nbsp;&lt;/P&gt;&lt;P&gt;The non-Splunk RHEL instances running a Universal Forwarder have no issue access the audit.log files, apparently by virtue of the statement&lt;/P&gt;&lt;P&gt;AmbientCapabilities=CAP_DAC_READ_SEARCH&lt;/P&gt;&lt;P&gt;located in the&amp;nbsp;/etc/systemd/system/SplunkForwarder.service file.&amp;nbsp; However, the same is not true on the Splunk instance.&amp;nbsp; They require read access permissions via a file ACL or something.&amp;nbsp; Where these options all result in multiple STIG compliance findings.&amp;nbsp; Which each require write ups a vendor (Splunk) dependencies.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Question - why?&amp;nbsp; Why can't Splunk access the audit.log files the same way as the UF?&amp;nbsp; Or is there some way to do the same sort of thing with AmbientCapabilities for Splunkd.Service?&lt;/P&gt;&lt;P&gt;It is tempting to quit collecting these logs with Splunk itself and install UF on the Splunk instances too.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Jul 2025 03:27:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750604#M119252</guid>
      <dc:creator>ewok</dc:creator>
      <dc:date>2025-07-29T03:27:13Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk access to RHEL audit.log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750608#M119253</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261132"&gt;@ewok&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;UF explicitly supports adding Linux capabilities via the &lt;STRONG&gt;AmbientCapabilities&lt;/STRONG&gt;=CAP_DAC_READ_SEARCH setting. But full Splunk Enterprise instance does not utilize AmbientCapabilities, so it lacks these elevated per-file read permissions.&lt;/P&gt;&lt;P&gt;So your options to consider is,&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;-Use the Universal Forwarder on Splunk server hosts for audit log collection and keep Splunk Enterprise running as non-root.&lt;/P&gt;&lt;P&gt;-Run Splunkd as root (least preferred).&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;So my recommendation is If strict &lt;STRONG&gt;STIG&lt;/STRONG&gt; compliance is essential, the best approach is to &lt;STRONG&gt;install the Universal Forwarder&lt;/STRONG&gt; (UF) on your Splunk and use it solely for audit log collection.&lt;/P&gt;&lt;P&gt;#&lt;A href="https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/9.4/working-with-the-universal-forwarder/manage-a-linux-least-privileged-user" target="_blank"&gt;https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/9.4/working-with-the-universal-forwarder/manage-a-linux-least-privileged-user&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Regards,&lt;BR /&gt;Prewin&lt;BR /&gt;Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 29 Jul 2025 04:15:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750608#M119253</guid>
      <dc:creator>PrewinThomas</dc:creator>
      <dc:date>2025-07-29T04:15:00Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk access to RHEL audit.log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750612#M119254</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261132"&gt;@ewok&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Splunk &lt;STRONG&gt;Enterprise&lt;/STRONG&gt; systemd unit (splunkd.service) is &lt;STRONG&gt;not&lt;/STRONG&gt; shipped with the same AmbientCapabilities=CAP_DAC_READ_SEARCH line that the &lt;STRONG&gt;Universal Forwarder&lt;/STRONG&gt; package adds to its own unit (SplunkForwarder.service).&lt;BR /&gt;That line gives the UF process the Linux capability to bypass discretionary access controls (DAC) and read files such as /var/log/audit/audit.log even when the file is mode 0600 and owned by root.&lt;BR /&gt;Enterprise installs simply omit that stanza, so splunkd runs with the default capability set and cannot open the audit log unless you relax the permissions or run Splunk as root (both STIG-failures).&lt;/P&gt;&lt;P&gt;You can alter this behaviour for Splunk Enterprise (Full install) by editing the splunkd.service file:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Create the override directory (run as root):&lt;PRE&gt;systemctl edit splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Add theAmbientCapabilities:&lt;PRE&gt;[Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Reload systemd and restart Splunk:&lt;PRE&gt;systemctl daemon-reload
   systemctl restart splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;After the restart the running splunkd&amp;nbsp;should have the same capability that the UF has and can read /var/log/audit/audit.log without touching file permissions or adding ACLs.&lt;/P&gt;&lt;P&gt;The override should not be overwritten with Splunk package upgrades, but always verify after an upgrade that its still in place.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Tue, 29 Jul 2025 06:19:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750612#M119254</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-07-29T06:19:23Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk access to RHEL audit.log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750613#M119255</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261132"&gt;@ewok&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Splunk &lt;STRONG&gt;Enterprise&lt;/STRONG&gt; systemd unit (splunkd.service) is &lt;STRONG&gt;not&lt;/STRONG&gt; shipped with the same AmbientCapabilities=CAP_DAC_READ_SEARCH line that the &lt;STRONG&gt;Universal Forwarder&lt;/STRONG&gt; package adds to its own unit (SplunkForwarder.service).&amp;nbsp;&lt;BR /&gt;That line gives the UF process the Linux capability to bypass discretionary access controls (DAC) and read files such as /var/log/audit/audit.log even when the file is mode 0600 and owned by root.&lt;BR /&gt;Enterprise installs simply omit that stanza, so splunkd runs with the default capability set and cannot open the audit log unless you relax the permissions or run Splunk as root (both STIG-failures).&lt;/P&gt;&lt;P&gt;You can alter this behaviour for Splunk Enterprise (Full install) by editing the splunkd.service file:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Create the override directory (run as root):&lt;PRE&gt;systemctl edit splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Add theAmbientCapabilities:&lt;PRE&gt;[Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH&lt;/PRE&gt;&lt;/LI&gt;&lt;LI&gt;Reload systemd and restart Splunk:&lt;PRE&gt;systemctl daemon-reload
   systemctl restart splunkd.service&lt;/PRE&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;After the restart the running splunkd&amp;nbsp;should have the same capability that the UF has and can read /var/log/audit/audit.log without touching file permissions or adding ACLs.&lt;/P&gt;&lt;P&gt;The override should not be overwritten with Splunk package upgrades, but always verify after an upgrade that its still in place.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Tue, 29 Jul 2025 06:19:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750613#M119255</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-07-29T06:19:57Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk access to RHEL audit.log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750763#M119265</link>
      <description>&lt;P&gt;Too follow up.&amp;nbsp; Using&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;[Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH&lt;/PRE&gt;&lt;P&gt;This fails under the following conditions:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;If you have an old `Splunkd.service` file, with a line using =!, like the following:&lt;/LI&gt;&lt;/UL&gt;&lt;PRE&gt;ExecStart=!/opt/splunk/bin/splunk _internal_launch_under_systemd&lt;/PRE&gt;&lt;P class="lia-indent-padding-left-30px"&gt;If so, you will need to recreate the Splunkd.service file.&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;If you utilize the "Data inputs --&amp;gt; Files &amp;amp; directories" monitor method for ingest the /var/log/audit/audit,log files this fails.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;This works with a current Splunk version (mine is 9.3.5) created Splunkd.service file and using the Splunk_TA_nix script method of ingest using rlog.sh.&lt;/P&gt;&lt;P&gt;Kuddos to&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp;for causing me to review and realize I had an out of date Splunkd.service file&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 30 Jul 2025 20:53:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-access-to-RHEL-audit-log/m-p/750763#M119265</guid>
      <dc:creator>ewok</dc:creator>
      <dc:date>2025-07-30T20:53:01Z</dc:date>
    </item>
  </channel>
</rss>

