topic Re: Is there any reason not to run Splunk as root? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114931#M24048 <P>Ports 0-1024 are protected. Only root can use them.</P> <P>To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.</P> Mon, 10 Nov 2014 16:51:10 GMT richgalloway 2014-11-10T16:51:10Z Is there any reason not to run Splunk as root? https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114930#M24047 <P>Trying to create a Data Input on a forwarder using TCP Port 514. Can't do it as the splunk id. No problem creating DI using port 5514.</P> Mon, 10 Nov 2014 16:19:17 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114930#M24047 MikeBertelsen 2014-11-10T16:19:17Z Re: Is there any reason not to run Splunk as root? https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114931#M24048 <P>Ports 0-1024 are protected. Only root can use them.</P> <P>To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.</P> Mon, 10 Nov 2014 16:51:10 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114931#M24048 richgalloway 2014-11-10T16:51:10Z Re: Is there any reason not to run Splunk as root? https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114932#M24049 <P>There have been a couple previous questions here on Answer that address this topic such as this post: <A href="http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html">http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html</A></P> <P>Pretty much the same security issue and best practice that @richgalloway points out.</P> Mon, 10 Nov 2014 19:09:35 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114932#M24049 ppablo 2014-11-10T19:09:35Z Re: Is there any reason not to run Splunk as root? https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114933#M24050 <P>If you have to receive data on 514, consider setting up an iptables entry for 514 to reroute it to a local port &gt;1024 and have non-root Splunk listen to that.</P> Mon, 10 Nov 2014 20:37:29 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-any-reason-not-to-run-Splunk-as-root/m-p/114933#M24050 martin_mueller 2014-11-10T20:37:29Z