Deployment Architecture

Why is the app or add-on installations, on a single instance Splunk Enterprise 7.1.2 on Linux, show as root user by default?

neerajshah81
Path Finder

I have a single instance Splunk Enterprise 7.1.2 on Linux. I have used a non-root user "splunk" & group "splunk" to install Splunk. At the time of install i made sure to run "chown -R splunk:splunk /opt/splunk" command and verified all files/dirs are now owned by "splunk:splunk". I am noticing that whenever i install a new app or add-on , its owner is root:root by default. I have to manually run that chown command every time after i install an app or add-on & restart splunk.

I have looked at this thread https://answers.splunk.com/answers/481355/why-are-apps-installing-as-root-user-when-dir-is-n.html?ut... as per it, Is it because we are using "sudo $SPLUNK_HOME/bin/splunk restart" command to restart splunk after each app install which is causing splunk to restart as a root user ? What is the other way then ?

Anybody else using Splunk On Linux facing the same issue ?

Thanks
Neeraj

0 Karma
1 Solution

woodcock
Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

View solution in original post

0 Karma

woodcock
Esteemed Legend

Just because you are changing file ownership does not mean that have changed the user that is running Splunk; clearly this is still root. Go to the CLI as root and do this:

/opt/splunk/bin/splunk stop
DO EVERYTHING IN THIS SECTION (but do not use `bob`, use `splunk`): https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...
chown -R splunk:splunk /opt/splunk
systemctl daemon-reload
service splunk start

Then you will be running as user splunk

0 Karma

FrankVl
Ultra Champion

Just configure the desired OS user in etc/splunk-launch.conf (last line of that file already contains a placeholder for that setting, just uncomment and add the user name). That way, regardless of which user starts splunk, it always runs under the correct user.

0 Karma

woodcock
Esteemed Legend

There is much more to it than that. See my answer.

0 Karma

FrankVl
Ultra Champion

Sounds more like a different way of doing things? I've never changed the init.d file, or appended the -user flag to the enable-boot command. Just set the user in the splunk-launch.conf and it always runs as the correct user. After boot, but also when you (accidentally) execute ./splunk restart while being root.

Edit, ah:

When 'splunk enable boot-start -user <u>' is invoked, SPLUNK_OS_USER is set to <u> as a side effect. 

So your approach also sets splunk-launch.conf OS user setting in the end.

0 Karma

MikaJustasACN
Path Finder

When you are restarting Splunk by running "sudo $SPLUNK_HOME/bin/splunk restart", essentially what you do is you restart splunk into root user. You can confirm that by "ps -aux | grep splunk". You first need to jump to splunk user: "sudo su splunk" and then $SPLUNK_HOME/bin/splunk restart.

neerajshah81
Path Finder

Thanks Mika. Upvote granted 🙂

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...