<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Logrotate question to Permit Splunk user to read syslog? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Logrotate-question-to-Permit-Splunk-user-to-read-syslog/m-p/421562#M74128</link>
    <description>&lt;P&gt;All, &lt;/P&gt;

&lt;P&gt;I have /var/log/messages on a host I want Splunk to be able to read. Here is my log rotation config. Splunk user is working. But cannot read the file even after logrotate runs this rotation. &lt;/P&gt;

&lt;P&gt;/var/log/cron&lt;BR /&gt;
/var/log/maillog&lt;BR /&gt;
/var/log/messages&lt;BR /&gt;
/var/log/secure&lt;BR /&gt;
/var/log/spooler&lt;BR /&gt;
{&lt;BR /&gt;
    missingok&lt;BR /&gt;
    sharedscripts&lt;BR /&gt;
    postrotate&lt;BR /&gt;
        /bin/kill -HUP &lt;CODE&gt;cat /var/run/syslogd.pid 2&amp;gt; /dev/null&lt;/CODE&gt; 2&amp;gt; /dev/null || true&lt;BR /&gt;
        /usr/bin/setfacl -m u:splunk:r /var/log/*&lt;BR /&gt;
    endscript&lt;BR /&gt;
}&lt;/P&gt;

&lt;P&gt;If I manually go and run "/usr/bin/setfacl -m u:splunk:r /var/log/*" it works how ever. &lt;/P&gt;

&lt;P&gt;Am I missing something? &lt;/P&gt;</description>
    <pubDate>Thu, 01 Aug 2019 19:12:36 GMT</pubDate>
    <dc:creator>daniel333</dc:creator>
    <dc:date>2019-08-01T19:12:36Z</dc:date>
    <item>
      <title>Logrotate question to Permit Splunk user to read syslog?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Logrotate-question-to-Permit-Splunk-user-to-read-syslog/m-p/421562#M74128</link>
      <description>&lt;P&gt;All, &lt;/P&gt;

&lt;P&gt;I have /var/log/messages on a host I want Splunk to be able to read. Here is my log rotation config. Splunk user is working. But cannot read the file even after logrotate runs this rotation. &lt;/P&gt;

&lt;P&gt;/var/log/cron&lt;BR /&gt;
/var/log/maillog&lt;BR /&gt;
/var/log/messages&lt;BR /&gt;
/var/log/secure&lt;BR /&gt;
/var/log/spooler&lt;BR /&gt;
{&lt;BR /&gt;
    missingok&lt;BR /&gt;
    sharedscripts&lt;BR /&gt;
    postrotate&lt;BR /&gt;
        /bin/kill -HUP &lt;CODE&gt;cat /var/run/syslogd.pid 2&amp;gt; /dev/null&lt;/CODE&gt; 2&amp;gt; /dev/null || true&lt;BR /&gt;
        /usr/bin/setfacl -m u:splunk:r /var/log/*&lt;BR /&gt;
    endscript&lt;BR /&gt;
}&lt;/P&gt;

&lt;P&gt;If I manually go and run "/usr/bin/setfacl -m u:splunk:r /var/log/*" it works how ever. &lt;/P&gt;

&lt;P&gt;Am I missing something? &lt;/P&gt;</description>
      <pubDate>Thu, 01 Aug 2019 19:12:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Logrotate-question-to-Permit-Splunk-user-to-read-syslog/m-p/421562#M74128</guid>
      <dc:creator>daniel333</dc:creator>
      <dc:date>2019-08-01T19:12:36Z</dc:date>
    </item>
  </channel>
</rss>

