All Apps and Add-ons
Highlighted

How do you handle Splunking Linux logs through the Splunk nix TA? Do you deploy with root?

Builder

I was wondering how enterprises were handling this situation. I know within my organization, the /var/log subdirectories, especially teh system ones are locked down to root access only. How is your enterprising handling the Splunking of these logs. We run Splunk with a service account that we deploy across the Infrastructure that has a non-expiry password, but doesn't have sudo rights.

I have spent some time undoing a lot of installations that were accidentally done by root because I know it is against best practices. So I was looking for some advice on how to best handle this one 🙂

Highlighted

Re: How do you handle Splunking Linux logs through the Splunk nix TA? Do you deploy with root?

Esteemed Legend

DO NOT run splunk as root! This is a huge security risk. Create a new user splunk and add him to the root group and run as user splunk. But you still may have problems accessing files. You can try to make sure that new files get +gr ("Group Read") permission in that directory (assuming user splunk is in the root group). The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /file/location/

Now, all new files and folder created under /file/location/ will have the same group assigned as is set /file/location has.

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value and you can use POSIX ACLs to control this; to set the default ACL on a directory:

setfacl -d -m u::rwX,g::rX,o::- /file/location/

This will apply setfacl to the /file/location/ directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

For more detail, check out this Q&A:

https://answers.splunk.com/answers/240717/how-to-get-splunk-user-to-read-root-user-owned-fil.html

View solution in original post

Highlighted

Re: How do you handle Splunking Linux logs through the Splunk nix TA? Do you deploy with root?

Builder

@woodcock To my rescue again, thanks!

0 Karma