Why is /opt/splunkforwarder/var/ owned by root on install when everything else in /opt/splunkforwarder/ is owned by Splunk on install? Shouldn't everything in /opt/splunkforwarder/ be recursively owned by Splunk? I would run $chown -R splunk:splunk /opt/splunkforwarder, but I'm not sure if this is a best practice or not, and I haven't found any documentation on this.

Thanks in advance.

Example:

[root@...... splunkforwarder]# pwd
/opt/splunkforwarder
[root@....... splunkforwarder]# ls -al
total 124
drwxr-xr-x.  9 splunk splunk   231 Sep 14 15:51 .
drwxr-xr-x.  3 root   root      29 Aug 20 10:03 ..
drwxr-xr-x.  3 splunk splunk  4096 Aug 20 10:03 bin
-r--r--r--.  1 splunk splunk    57 Jul  9 20:26 copyright.txt
drwxr-xr-x. 13 splunk splunk  4096 Aug 20 10:03 etc
drwxr-xr-x.  2 splunk splunk    27 Aug 20 10:03 include
drwxr-xr-x.  4 splunk splunk  4096 Aug 20 10:03 lib
-r--r--r--.  1 splunk splunk 61779 Jul  9 20:26 license-eula.txt
drwxr-xr-x.  3 splunk splunk    58 Aug 20 10:03 openssl
-r--r--r--.  1 splunk splunk   841 Jul  9 20:29 README-splunk.txt
drwxr-xr-x.  3 splunk splunk    41 Aug 20 10:03 share
-r--r--r--.  1 splunk splunk 37921 Jul  9 21:42 splunkforwarder-7.1.2-a0c72a66db66-linux-2.6-x86_64-manifest
drwx--x---.  6 root   root      52 Aug 20 10:03 var <====== why?

[root@......]# pwd
/opt/splunkforwarder/var
[root@......]# ls -al
total 0
drwx--x---. 6 root   root    52 Aug 20 10:03 .
drwxr-xr-x. 9 splunk splunk 231 Sep 14 15:51 ..
drwx--x---. 3 root   root    20 Aug 20 10:03 lib
drwx--x---. 4 root   root    41 Aug 20 10:03 log
drwx--x---. 4 root   root    62 Aug 20 10:06 run
drwx--x---. 4 root   root    39 Aug 20 10:03 spool