All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Unix and Linux: How to add permissions to read /var/log on the host where Splunk is installed?

john_zey
Explorer
‎04-04-2015 04:40 AM

Hello all,

I have ubuntu 14.04 64bits and installed splunk 6.2.2 with the commands :

sudo dpkg -i splunk-6.2.2-255606-linux-2.6-amd64.deb
sudo /opt/splunk/bin/splunk start --accept-license
sudo /opt/splunk/bin/splunk enable boot-start

I logged in to splunk and changed the license to "Free license"

I added the apps :

Splunk Add-on for *Nix
Splunk App for Unix

When I open Splunk Add-on for Unix and Linux : Setup
I want to enable “var/log”. When I click on “save”, I get the error : 

“There was an unexpected problem while saving the inputs. Please reload the page and try again. “

I added the user “splunk” to the syslog group. Same issue.
I change the /etc/passwd to “splunk:x:0:0:Splunk Server:/opt/splunk:/bin/bash”. Same issue

So Splunk Enterprise with the Free license is running on one host.
Does someone know the proper way to have the “Splunk App for Unix” to read the log on the host where splunk is installed?

I have the same issue when I use “Data Intput” –-> “Local Inputs” –-> “Files & directories” –-> “Add new” –-> “/var/log”. I get the error “This path does not exist or is not accessible. “. I guess this is the same issue with rights.

When possible please provide also the correct commands, to add the rights to the user “splunk”

Thanks in advantage

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

john_zey
Explorer
‎04-14-2015 03:53 AM

Found out what I did wrong :

First I added the user "splunk" to the group "adm".
Before I tried to browse. Doesn't work.
You have to type the path include an asterisk ().
For example : /var/log/
That works.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

john_zey
Explorer
‎04-14-2015 03:53 AM

Found out what I did wrong :

First I added the user "splunk" to the group "adm".
Before I tried to browse. Doesn't work.
You have to type the path include an asterisk ().
For example : /var/log/
That works.

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-05-2015 11:43 AM

A non root user cannot read /var by default.
More Specifically in Ubuntu if you're not in the adm group, you can't read /var/log
so as not to completely destroy the concept of security on /var/log you will want to check here where using ACL's are recommended:
http://answers.splunk.com/answers/60388/recommended-permissions-on-var-log-for-splunk-ta-nix.html
If you're unfamiliar with this, I found the Ubuntu doc on file permissions pretty enlightening on the subject:

https://help.ubuntu.com/community/FilePermissions

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top