Solved: Am I breaking any best practices doing a chmod to ...

jwalzerpitt · ‎11-03-2014

I would like to configure Splunk to monitor some log files in var/log and when i go to add data and select the directory I am not seeing all of the logs and the reason is the Splunk user I create does not have rights to see the relevant logs. I was thinking about doing a chmod to grant the Splunk user access to the log files, but if I do that will I breaking any best practices regarding accessing Linux log files?

Thx

frmaasdam · ‎11-03-2014

Two possibilities here:
1. Make user Splunk member of the GID of your logfiles. Group adm? But be sure (regarding a bug) that you start your Splunk instance using su -u splunk -c
2. Or do a setfacl on the requested log files so that user splunk has the rights to execute and read the files.

View solution in original post

jwalzerpitt · ‎11-03-2014

Thx for the info and options

frmaasdam · ‎11-03-2014

Two possibilities here:
1. Make user Splunk member of the GID of your logfiles. Group adm? But be sure (regarding a bug) that you start your Splunk instance using su -u splunk -c
2. Or do a setfacl on the requested log files so that user splunk has the rights to execute and read the files.

Am I breaking any best practices doing a chmod to grant a Splunk user access to Linux log files?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...