Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there any reason not to run Splunk as root?

MikeBertelsen
Communicator
‎11-10-2014 08:19 AM

Trying to create a Data Input on a forwarder using TCP Port 514. Can't do it as the splunk id. No problem creating DI using port 5514.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2014 08:51 AM

Ports 0-1024 are protected. Only root can use them.

To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2014 08:51 AM

Ports 0-1024 are protected. Only root can use them.

To address the question, yes, there are reasons to not run Splunk as root. Company policy may prohibit it. Security best practices say only system processes should run as root. Any program running as root may have a weakness that can be exploited to give an outsider a way into your system. That said, some things (like opening port 514) can only be done by root.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-10-2014 12:37 PM

If you have to receive data on 514, consider setting up an iptables entry for 514 to reroute it to a local port >1024 and have non-root Splunk listen to that.

Reply
Solved! Jump to solution

ppablo
Retired
‎11-10-2014 11:09 AM

There have been a couple previous questions here on Answer that address this topic such as this post: http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html

Pretty much the same security issue and best practice that @richgalloway points out.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...