My Splunk forwarder is running as a splunk user and not root. What is the best way to grant this user read access to user's .bash_history logs without enforcing sudo? If I am not mistaken, theres no way for us to tell the splunk forwarder to run sudo and supply with its own creds again.
Any guidance will be very appreciated.
You could try giving Splunk access to all .bash_history files using setfacl. I don't know if the command has to be repeated when new users are added.
You could try giving Splunk access to all .bash_history files using setfacl. I don't know if the command has to be repeated when new users are added.