Deployment Architecture

What configuration do I need to change to make owner and permission of the app not to change?

Ken
Loves-to-Learn Lots

The deployment server and the UF both run on linux.  In deployment server the app owned by splunk: splunk but when I push the app to the UF the app changes to root:root also the permission changes as well.  What configuration do I need to change to make owner and permission of the app not to change?  The Splunk service run as Splunk user.  

Labels (1)
0 Karma

Omar_hh77
Observer

Hello, I've been facing the same issue

where you able to find the reason for this?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

are you 100% sure that both DS and UF runs splunkd as a user and group splunk? Also check that all those /opt/splunk/ files on DS are owned by splunk:splunk and on UF side /opt/splunkforwarder all files and subdirectories are owned by splunk:splunk.

r. Ismo

0 Karma

Omar_hh77
Observer

Hi, 

 

yes, I've checked that, also both machines are running on Linux.

it's probably from the agent side since we pushed the app to ~ 500 UFs but only 5 or 6 failed.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

It's almost 100% sure that you are running splunkd as root on those instances as when those are written to disk by splunkd (as DC) it is using it's own uid + gid which in this case was both 0 like root has.

Only other option which came to my mind, is that there are some external process which changed ownership for those files. Then, depending on those access mode, splunkd usually cannot read those, as it haven't access right to root's owned files, unless those are world readable (they shouldn't).

0 Karma

Omar
Explorer

Thanks for the elaboration.
What's the correct way to check which user is running Splunkd? as am using ps aux | grep splunk to check it

0 Karma

isoutamo
SplunkTrust
SplunkTrust

That should be ok. Another is 

ps -C splunkd -o euser,ruser,suser,fuser,group,egroup,rgroup,sgroup,f,start,args,label

 Which told little bit more about user and group etc. for splunkd process.

If/when splunkd is running as e.g. user splunk, all those different user+group shows as splunk. If anything else then ....

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...