Getting Data In

Is there a way to submit events with user 'nobody' ?

davidtrujillo
Explorer

Hi.
I am trying to submit events, from a scripted input, with user 'nobody'

I am getting this error:

HTTP 403 Forbidden -- insufficient permission to access this resource

In order to submit my events I did the following:

Set tup my script in inputs.conf like this

[script://$SPLUNK_HOME/etc/apps/my_app/bin/my_script.py]
disabled = false
index = my_index
interval = * * * * *
sourcetype = generic_single_line
passAuth = nobody

As explained in the documentation, http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
I am getting an auth token for my script.

passAuth = <username>
* User to run the script as.
* If you provide a username, the instance generates an auth token for that
  user and passes it to the script via stdin.

I am using the generated auth_token on my script like this.

    service = client.Service(token=auth_token, app='my_app') 
    index = service.indexes["my_index"]    
    index.submit("Test", sourcetype="my_sourcetype", host="my_host", source="my_source")

I also tried:

    kwargs = {"owner":"nobody","app":"my_app","token":auth_token}
    service = client.connect(**kwargs)  
    index = service.indexes["my_index"]    
    index.submit("Test", sourcetype="my_sourcetype", host="my_host", source="my_source")

None of them work, as soon as it reaches the line: index.submit(), it throws the HTTP 403 Forbidden error.

If I change the 'nobody' user to any other user, even a user with USER role, it works well. But I am required to make my script work with the 'nobody' one.

Any ideas on what I'm doing wrong ?

Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...