My question has to do with the splunk account that was deleted from a univeral forwarder. The system is a Red Hat 6 server that is setup as a univeral forwarder to our splunk indexers. The account was deleted from the system by an administrator, then restored. The account was restored with the same UID's and GID's previously set. The logs never stopped going to the indexers as the service was not stopped or restarted. Is the restoration of the splunk account with UID's and GID's sufficient to prevent any failures or reloading of the univeral forwarder.
Yes, that should be sufficient IF you are running your Forwarder as the Splunk User. Most times, I think the default is to run a forwarder as root. What does
ls -la /opt/splunkforwarder say about ownership?
If he also deleted the user inside of Splunk, you should be OK simply re-adding him just like you did the first time and this should restore everything for the user the way it was before. The reason this is so is that deleting a Splunk user does not delete the Splunk user's home directory or files, which I actually consider a bug (but Splunk support does not). If you have heavy user churn, do not wait for this problem to bite you; setup an automatic script to periodically cross-reference the active Splunk user list against the user directories and delete the directories that do not have an active user. You can use this CLI command as a starting point to list all defined users on the Splunk server:
$SPLUNK_HOME/bin/splunk search "| rest /services/authentication/httpauth-tokens splunk_server=local | stats values(userName) AS Users"
Your answer is referencing Splunk "end users", those that login and search data on a Search Head. My interpretation of the question was based on the "splunk" user that is installed by default to the OS (rhel in this case) that is used to run the forwarder/core installation.
Your interpretation is correct. It is the account installed by default on the OS. I will have an answer to your question about the ownership shortly. I requested the details from the system admin of that host. I appologize for the misspelling of "universal" in my initial question. My "s" key quit working today....
Oh, good point. Having re-read it, I see that you are right and that my answer is out of context, but still perhaps a useful tidbit for people to know. Do you think I should delete my answer or leave it?