All Apps and Add-ons

Trouble for reading logs on Solaris 5.11

kutlu_sensoy
New Member

Hello everyone,

Does anyone face with any issue while monitoring files on SolarisOs 5.11 ? i can read the desired file with splunk user on ssh session but when i check agent logs, there is a permission error log for this path.

If anyone has resolved that issue could you please help me.

Regards.

0 Karma

gfreitas
Builder

Might be worth checking the UF inputs configuration from the btool command:
splunk cmd btool inputs list

0 Karma

badrinath_itrs
Communicator

Can you check if the UF is running with correct splunk user . Can you also restart the UF and see if the error still comes related to permission denied.

0 Karma

kutlu_sensoy
New Member

Yes it's running with splunk user, i've changed the inputs configuration and restarted the uf but nothing changed. splunk user can list and read these files when i login the server with ssh.

0 Karma

gfreitas
Builder

I believe I had a similar problem in the past and it was due to permissions on Solaris. It had permission to read the file but for some reason not able to read it. May I suggest you temporarily change permissions? E.g. change owner to user running Splunk and change permissions to 744 (or even 777 temporary)?
Also can you post the results from splunk cmd btool inputs list?
Also what messages does splunkd.log show you on the log that should be getting monitored?

kutlu_sensoy
New Member

Thank you everyone for the support.

I've resolve the issue but solution has just create a new questions 🙂 I found the system admin guy and he gave the read permission to "other users" with "chmod o+r" and then agent start to read the logs. Before we gave the permission, when we change the user with "su -splunk" in ssh session splunk user can list the directories and also read the log files but when we change user with "su splunk" it can't.

Can you describe what is the differences between these two "su" commands ?

Regards

0 Karma

gfreitas
Builder

Without knowing all the details I'll try to answer:
the su with the hyphen changes the user environment variables and without the hyphen it keeps the environment variables (more info here: https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen).
I believe it might be the case you didn't have permissions to read the file before and after su you kept that without the hyphen.
Full su documentation is also available here: http://man7.org/linux/man-pages/man1/su.1.html.

hope this helps

0 Karma

BainM
Communicator

@gfreitas is correct. Someone needs to login to that box locally, su to the splunk user and try to cd through the folder hierarchy. Splunk user needs "ls" or read permissions on all directories in the tree that lead to the log files.
This is not a well-known thing to everyone, but it's part of working in *nix environments.

hope this helps,
Mike

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...