All Apps and Add-ons

How do you handle Splunking Linux logs through the Splunk nix TA? Do you deploy with root?

paimonsoror
Builder

I was wondering how enterprises were handling this situation. I know within my organization, the /var/log subdirectories, especially teh system ones are locked down to root access only. How is your enterprising handling the Splunking of these logs. We run Splunk with a service account that we deploy across the Infrastructure that has a non-expiry password, but doesn't have sudo rights.

I have spent some time undoing a lot of installations that were accidentally done by root because I know it is against best practices. So I was looking for some advice on how to best handle this one 🙂

1 Solution

woodcock
Esteemed Legend

DO NOT run splunk as root! This is a huge security risk. Create a new user splunk and add him to the root group and run as user splunk. But you still may have problems accessing files. You can try to make sure that new files get +gr ("Group Read") permission in that directory (assuming user splunk is in the root group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /file/location/

Now, all new files and folder created under /file/location/ will have the same group assigned as is set /file/location has.

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value and you can use POSIX ACLs to control this; to set the default ACL on a directory:

setfacl -d -m u::rwX,g::rX,o::- /file/location/

This will apply setfacl to the /file/location/ directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

For more detail, check out this Q&A:

https://answers.splunk.com/answers/240717/how-to-get-splunk-user-to-read-root-user-owned-fil.html

View solution in original post

woodcock
Esteemed Legend

DO NOT run splunk as root! This is a huge security risk. Create a new user splunk and add him to the root group and run as user splunk. But you still may have problems accessing files. You can try to make sure that new files get +gr ("Group Read") permission in that directory (assuming user splunk is in the root group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /file/location/

Now, all new files and folder created under /file/location/ will have the same group assigned as is set /file/location has.

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value and you can use POSIX ACLs to control this; to set the default ACL on a directory:

setfacl -d -m u::rwX,g::rX,o::- /file/location/

This will apply setfacl to the /file/location/ directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

For more detail, check out this Q&A:

https://answers.splunk.com/answers/240717/how-to-get-splunk-user-to-read-root-user-owned-fil.html

paimonsoror
Builder

@woodcock To my rescue again, thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...