I have deployed Splunk Stream on a distributed environment to ingest DNS first.
I have followed howtos here and there and everything is fine with collected data.
One thing remains unclear.
I have Splunk Stream + Stream TA on my ES Search Head
Stream TA on another Search Head > just for parsing
Stream TA on Deployement Server > just for parsing
Stream TA on Indexer > for indexing, timestamp etc.
Stream TA + inputs on DNS servers
However I do receive error messages from SH, DS & IDX mentioning permission issues :
Unable to initialize modular input "streamfwd" defined inside the app "SplunkTAstream": Introspecting scheme=streamfwd: Unable to run "/opt/splunk/etc/apps/SplunkTAstream/linuxx8664/bin/streamfwd --scheme": child failed to start: Permission denied
I have already used set_permissions.sh so that might be due to the the fact that Splunk is running as non-root.
However, on these instance, the TA is not there for capturing any stream, so isn't better to just turn off TA's network capturing capability ?
I am wondering what files should I removed from the TA to do this and if this is is a good idea to do so.