All Apps and Add-ons

Trouble for reading logs on Solaris 5.11

kutlu_sensoy
New Member

Hello everyone,

Does anyone face with any issue while monitoring files on SolarisOs 5.11 ? i can read the desired file with splunk user on ssh session but when i check agent logs, there is a permission error log for this path.

If anyone has resolved that issue could you please help me.

Regards.

0 Karma

gfreitas
Builder

Might be worth checking the UF inputs configuration from the btool command:
splunk cmd btool inputs list

0 Karma

badrinath_itrs
Communicator

Can you check if the UF is running with correct splunk user . Can you also restart the UF and see if the error still comes related to permission denied.

0 Karma

kutlu_sensoy
New Member

Yes it's running with splunk user, i've changed the inputs configuration and restarted the uf but nothing changed. splunk user can list and read these files when i login the server with ssh.

0 Karma

gfreitas
Builder

I believe I had a similar problem in the past and it was due to permissions on Solaris. It had permission to read the file but for some reason not able to read it. May I suggest you temporarily change permissions? E.g. change owner to user running Splunk and change permissions to 744 (or even 777 temporary)?
Also can you post the results from splunk cmd btool inputs list?
Also what messages does splunkd.log show you on the log that should be getting monitored?

kutlu_sensoy
New Member

Thank you everyone for the support.

I've resolve the issue but solution has just create a new questions 🙂 I found the system admin guy and he gave the read permission to "other users" with "chmod o+r" and then agent start to read the logs. Before we gave the permission, when we change the user with "su -splunk" in ssh session splunk user can list the directories and also read the log files but when we change user with "su splunk" it can't.

Can you describe what is the differences between these two "su" commands ?

Regards

0 Karma

gfreitas
Builder

Without knowing all the details I'll try to answer:
the su with the hyphen changes the user environment variables and without the hyphen it keeps the environment variables (more info here: https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen).
I believe it might be the case you didn't have permissions to read the file before and after su you kept that without the hyphen.
Full su documentation is also available here: http://man7.org/linux/man-pages/man1/su.1.html.

hope this helps

0 Karma

BainM
Communicator

@gfreitas is correct. Someone needs to login to that box locally, su to the splunk user and try to cd through the folder hierarchy. Splunk user needs "ls" or read permissions on all directories in the tree that lead to the log files.
This is not a well-known thing to everyone, but it's part of working in *nix environments.

hope this helps,
Mike

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...