Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does splunk need to be installed as root?

pbrunel_splunk
Splunk Employee
Splunk Employee
‎11-14-2014 12:49 PM

The docs mention installs need to be done as root (but don't really explain why)
- http://docs.splunk.com/Documentation/Splunk/6.2.0/Installation/RunSplunkasadifferentornon-rootuser

Some answers refer to the need to provide, to the user running splunk, access to /dev/urandom, though it isn't clear why that's necessary (encryption?)
- http://answers.splunk.com/answers/49153/install-splunk-as-non-root-user.html

What aspects of the installation of splunk require root privileges? For the more security conscious sysadmins out there, being able to install splunk without opening the root kimono would be much more preferable.

BTW, as a test, I installed splunk as a non-root user (on a host where splunk was already installed), then brought up this new instance as that user, and verified there weren't any errors during startup. I also verified that i could login to the UI and do basic navigation. So at first glance, it looks like the root privileges aren't a requirement. Then again, this was far from a thorough shake-out test, and could've missed something.

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎11-14-2014 01:12 PM

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎11-19-2014 04:55 PM

(Not sure if this counts as an answer or a comment as I'm kind of building off of the prior answer.)

I never install as root. Splunk has the ability to run scripts as scripted inputs and as the result of triggered alert. That, to me, is too high a risk to allow it to be run as root. Obviously running as non-root means you'll need to make sure any inputs have proper permissions and/or sudo where required - none of that has been complicated or labor intensive enough to dissuade me to install as root.

Here's what I do:

  1. root: create a "splunk" user account
  2. root: install with rpm
  3. root: chown and chmod to make sure the install is owned by the "splunk" account and can execute stuff in the bin directory, respectively (just to be super duper safe)
  4. splunk: Start splunk su - ${USER} -c "${SPLUNK_HOME}/bin/splunk start --answer-yes --no-prompt --accept-license"
  5. root: enable boot start AS splunk ${SPLUNK_HOME}/bin/splunk enable boot-start -user ${USER}

All of that should be in the documentation if you need further explanation on any of the params, etc...

Happy Splunking!

Reply
Solved! Jump to solution

Jarohnimo
Builder
‎09-12-2019 07:34 PM

Changed to Kudos, not sure what I was thinking with my original comment

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-27-2020 02:18 PM

Hi
There are two separate thing

  • install as root (or at least partially)
  • running as another user

If you you want to use e.g. rpm package or automatic start on boot, it’s mandatory to use at least sudo (as root) when you are doing installation. BUT after that you can and actually should run splunk as a non root account like splunk or srv-splk or anything else than root.

Also UFs should run as non root user, but that needs quite a much fine tuning to access all needed log files.

Ismo

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎11-14-2014 01:12 PM

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

Reply
Solved! Jump to solution

rob_gibson
Path Finder
‎03-03-2016 12:42 PM

I downvoted this post because boot-start can be enabled/disabled via sudo. it does not require root.

0 Karma
Reply
Solved! Jump to solution

afx
Contributor
‎04-25-2020 02:05 AM

I downvoted this post because downvoting without a clue.

Reply
Solved! Jump to solution

aa70627
Communicator
‎02-27-2020 01:38 PM

@rob.gibson, i'm not sure why you would down vote this post

‘sudo‘ is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by ‘sudo‘.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-03-2016 01:44 PM

Sudo is a mechanism by which you can enable users to take actions as other users, typically to take actions as root.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...