All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trouble for reading logs on Solaris 5.11

kutlu_sensoy
New Member
‎01-02-2020 06:21 AM

Hello everyone,

Does anyone face with any issue while monitoring files on SolarisOs 5.11 ? i can read the desired file with splunk user on ssh session but when i check agent logs, there is a permission error log for this path.

If anyone has resolved that issue could you please help me.

Regards.

0 Karma
Reply

gfreitas
Builder
‎01-02-2020 08:09 AM

Might be worth checking the UF inputs configuration from the btool command:
splunk cmd btool inputs list

0 Karma
Reply

badrinath_itrs
Communicator
‎01-02-2020 03:01 PM

Can you check if the UF is running with correct splunk user . Can you also restart the UF and see if the error still comes related to permission denied.

0 Karma
Reply

kutlu_sensoy
New Member
‎01-05-2020 10:31 AM

Yes it's running with splunk user, i've changed the inputs configuration and restarted the uf but nothing changed. splunk user can list and read these files when i login the server with ssh.

0 Karma
Reply

gfreitas
Builder
‎01-06-2020 06:07 AM

I believe I had a similar problem in the past and it was due to permissions on Solaris. It had permission to read the file but for some reason not able to read it. May I suggest you temporarily change permissions? E.g. change owner to user running Splunk and change permissions to 744 (or even 777 temporary)?
Also can you post the results from splunk cmd btool inputs list?
Also what messages does splunkd.log show you on the log that should be getting monitored?

Reply

kutlu_sensoy
New Member
‎01-06-2020 09:51 AM

Thank you everyone for the support.

I've resolve the issue but solution has just create a new questions 🙂 I found the system admin guy and he gave the read permission to "other users" with "chmod o+r" and then agent start to read the logs. Before we gave the permission, when we change the user with "su -splunk" in ssh session splunk user can list the directories and also read the log files but when we change user with "su splunk" it can't.

Can you describe what is the differences between these two "su" commands ?

Regards

0 Karma
Reply

gfreitas
Builder
‎01-07-2020 02:55 AM

Without knowing all the details I'll try to answer:
the su with the hyphen changes the user environment variables and without the hyphen it keeps the environment variables (more info here: https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen).
I believe it might be the case you didn't have permissions to read the file before and after su you kept that without the hyphen.
Full su documentation is also available here: http://man7.org/linux/man-pages/man1/su.1.html.

hope this helps

0 Karma
Reply

BainM
Communicator
‎01-06-2020 06:43 AM

@gfreitas is correct. Someone needs to login to that box locally, su to the splunk user and try to cd through the folder hierarchy. Splunk user needs "ls" or read permissions on all directories in the tree that lead to the log files.
This is not a well-known thing to everyone, but it's part of working in *nix environments.

hope this helps,
Mike

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...