Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can one enable the universal forwarder under solaris 10 to read /var/log/authlog as user "splunk"?

cmonig
Explorer
‎09-14-2012 02:09 AM

Hi,

we want to deploy universal forwarders to solaris 10 machines.
For security reasons, we want to keep the number of applications running with root priviledges as low as possible, and would prefer to run the forwarder as the user "splunk".

We need to index the contents of the file "/var/log/authlog", which is only readable for "root":

-rw------- 1 root sys 34M Sep 14 08:42 authlog

We tried to add splunk to the group "sys", and make the file readable to the group, but this is not working as the process writing "authlog" resets the permission each time authlog is written to.

Is there a way to work around this, or is the only solution to run splunk with root priviledges?

Thanks,

Christoph

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-15-2012 05:45 AM

This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:

  1. Run Splunk as root (you've already said this is undesirable)
  2. Hack up a scripted input that can run setuid (also undesirable IMHO)
  3. See if Solaris will let you apply a POSIX ACL to the /var/log/authlog file, explicitly granting read privs to user splunk. The big trick here is whether it will be maintained over rotations and so on.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-15-2012 05:45 AM

This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:

  1. Run Splunk as root (you've already said this is undesirable)
  2. Hack up a scripted input that can run setuid (also undesirable IMHO)
  3. See if Solaris will let you apply a POSIX ACL to the /var/log/authlog file, explicitly granting read privs to user splunk. The big trick here is whether it will be maintained over rotations and so on.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...