All Apps and Add-ons

Splunk App for Unix and Linux: How to add permissions to read /var/log on the host where Splunk is installed?

john_zey
Explorer

Hello all,

I have ubuntu 14.04 64bits and installed splunk 6.2.2 with the commands :

sudo dpkg -i splunk-6.2.2-255606-linux-2.6-amd64.deb
sudo /opt/splunk/bin/splunk start --accept-license
sudo /opt/splunk/bin/splunk enable boot-start 

I logged in to splunk and changed the license to "Free license"

I added the apps :

Splunk Add-on for *Nix
Splunk App for Unix

When I open Splunk Add-on for Unix and Linux : Setup
I want to enable “var/log”. When I click on “save”, I get the error :

“There was an unexpected problem while saving the inputs. Please reload the page and try again. “

I added the user “splunk” to the syslog group. Same issue.
I change the /etc/passwd to “splunk:x:0:0:Splunk Server:/opt/splunk:/bin/bash”. Same issue

So Splunk Enterprise with the Free license is running on one host.
Does someone know the proper way to have the “Splunk App for Unix” to read the log on the host where splunk is installed?

I have the same issue when I use “Data Intput” –-> “Local Inputs” –-> “Files & directories” –-> “Add new” –-> “/var/log”. I get the error “This path does not exist or is not accessible. “. I guess this is the same issue with rights.

When possible please provide also the correct commands, to add the rights to the user “splunk”

Thanks in advantage

0 Karma
1 Solution

john_zey
Explorer

Found out what I did wrong :

First I added the user "splunk" to the group "adm".
Before I tried to browse. Doesn't work.
You have to type the path include an asterisk ().
For example : /var/log/

That works.

View solution in original post

0 Karma

john_zey
Explorer

Found out what I did wrong :

First I added the user "splunk" to the group "adm".
Before I tried to browse. Doesn't work.
You have to type the path include an asterisk ().
For example : /var/log/

That works.

View solution in original post

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

A non root user cannot read /var by default.
More Specifically in Ubuntu if you're not in the adm group, you can't read /var/log
so as not to completely destroy the concept of security on /var/log you will want to check here where using ACL's are recommended:
http://answers.splunk.com/answers/60388/recommended-permissions-on-var-log-for-splunk-ta-nix.html
If you're unfamiliar with this, I found the Ubuntu doc on file permissions pretty enlightening on the subject:

https://help.ubuntu.com/community/FilePermissions

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.