Solved: Forwarder running as Splunk user

logtastic · ‎05-10-2021

My Splunk forwarder is running as a splunk user and not root. What is the best way to grant this user read access to user's .bash_history logs without enforcing sudo? If I am not mistaken, theres no way for us to tell the splunk forwarder to run sudo and supply with its own creds again.

Any guidance will be very appreciated.

richgalloway · ‎05-10-2021

You could try giving Splunk access to all .bash_history files using setfacl. I don't know if the command has to be repeated when new users are added.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-10-2021

You could try giving Splunk access to all .bash_history files using setfacl. I don't know if the command has to be repeated when new users are added.

---
If this reply helps you, Karma would be appreciated.

Forwarder running as Splunk user

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation