I need to run Splunk Stream on some universal forwarders to capture data from a set of servers. The only way I've been able to do this is by running splunkd as root, which is not viable in production.

I am deploying Splunk_TA_stream 8.1.3 to the forwarders using a deployment server; forwarders are configured for boot-start. I've followed the documentation on installing the add-on and running set_permissions.sh to change the binary to run as root. However, restarting splunk reverts the permissions on the streamfwd binary and streaming fails to start, throwing the errors below. 

If I modify the service to run as root stream works as expected.

(CaptureServer.cpp:2338) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer

(SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <ens192>: 253

The servers I need to stream from are all running Red Hat 9.4 on VMWare 8 using VMXNET 3 NICs.

I'm aware of workarounds others have come up with, but we need a permanent solution to this problem. streamfwd app error in /var/log/splunk/streamfwd.l... - Splunk Community