Does anyone face with any issue while monitoring files on SolarisOs 5.11 ? i can read the desired file with splunk user on ssh session but when i check agent logs, there is a permission error log for this path.
If anyone has resolved that issue could you please help me.
Might be worth checking the UF inputs configuration from the btool command:
splunk cmd btool inputs list
Can you check if the UF is running with correct splunk user . Can you also restart the UF and see if the error still comes related to permission denied.
Yes it's running with splunk user, i've changed the inputs configuration and restarted the uf but nothing changed. splunk user can list and read these files when i login the server with ssh.
I believe I had a similar problem in the past and it was due to permissions on Solaris. It had permission to read the file but for some reason not able to read it. May I suggest you temporarily change permissions? E.g. change owner to user running Splunk and change permissions to 744 (or even 777 temporary)?
Also can you post the results from
splunk cmd btool inputs list?
Also what messages does splunkd.log show you on the log that should be getting monitored?
Thank you everyone for the support.
I've resolve the issue but solution has just create a new questions 🙂 I found the system admin guy and he gave the read permission to "other users" with "chmod o+r" and then agent start to read the logs. Before we gave the permission, when we change the user with "su -splunk" in ssh session splunk user can list the directories and also read the log files but when we change user with "su splunk" it can't.
Can you describe what is the differences between these two "su" commands ?
Without knowing all the details I'll try to answer:
the su with the hyphen changes the user environment variables and without the hyphen it keeps the environment variables (more info here: https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen).
I believe it might be the case you didn't have permissions to read the file before and after su you kept that without the hyphen.
Full su documentation is also available here: http://man7.org/linux/man-pages/man1/su.1.html.
hope this helps
@gfreitas is correct. Someone needs to login to that box locally, su to the splunk user and try to cd through the folder hierarchy. Splunk user needs "ls" or read permissions on all directories in the tree that lead to the log files.
This is not a well-known thing to everyone, but it's part of working in *nix environments.
hope this helps,