Archive

The splunk account was deleted from our univeral forwarder

New Member

My question has to do with the splunk account that was deleted from a univeral forwarder. The system is a Red Hat 6 server that is setup as a univeral forwarder to our splunk indexers. The account was deleted from the system by an administrator, then restored. The account was restored with the same UID's and GID's previously set. The logs never stopped going to the indexers as the service was not stopped or restarted. Is the restoration of the splunk account with UID's and GID's sufficient to prevent any failures or reloading of the univeral forwarder.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Yes, that should be sufficient IF you are running your Forwarder as the Splunk User. Most times, I think the default is to run a forwarder as root. What does ls -la /opt/splunkforwarder say about ownership?

Esteemed Legend

If he also deleted the user inside of Splunk, you should be OK simply re-adding him just like you did the first time and this should restore everything for the user the way it was before. The reason this is so is that deleting a Splunk user does not delete the Splunk user's home directory or files, which I actually consider a bug (but Splunk support does not). If you have heavy user churn, do not wait for this problem to bite you; setup an automatic script to periodically cross-reference the active Splunk user list against the user directories and delete the directories that do not have an active user. You can use this CLI command as a starting point to list all defined users on the Splunk server:

 $SPLUNK_HOME/bin/splunk search "| rest /services/authentication/httpauth-tokens splunk_server=local | stats values(userName) AS Users"

SplunkTrust
SplunkTrust

Your answer is referencing Splunk "end users", those that login and search data on a Search Head. My interpretation of the question was based on the "splunk" user that is installed by default to the OS (rhel in this case) that is used to run the forwarder/core installation.

New Member

Your interpretation is correct. It is the account installed by default on the OS. I will have an answer to your question about the ownership shortly. I requested the details from the system admin of that host. I appologize for the misspelling of "universal" in my initial question. My "s" key quit working today....

0 Karma

Esteemed Legend

Wow, you got the "s" fixed quickly! 😆

0 Karma

Esteemed Legend

Oh, good point. Having re-read it, I see that you are right and that my answer is out of context, but still perhaps a useful tidbit for people to know. Do you think I should delete my answer or leave it?

0 Karma

SplunkTrust
SplunkTrust

I agree to leave it, but you may want to preface it with the "This applies to End users" context, just to make others aware of the difference.

0 Karma

Esteemed Legend

It is re-edited for clarity.

0 Karma

SplunkTrust
SplunkTrust

I would leave it.. It's good advice

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!