Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitoring privileged and non-privileged logs using universal Forwarder on *nix

bohrasaurabh
Communicator
‎05-14-2015 07:24 AM

I would like to know, how security conscious teams configure (like guid, user account to run splunkd as, etc for) Splunk Universal Forwarder on *nix platform, to monitor both the privileged (logs like /var/log/message with perm 600) and non-privileged (may be an application log with perm 666).

I looked at the below answer and don't think installing syslog-ng on all servers is a option for us.
http://answers.splunk.com/answers/4253/how-to-monitor-root-owned-logs-while-running-splunk-as-a-non-...

Tags (1)
Reply

mmccul
SplunkTrust
SplunkTrust
‎05-14-2015 07:48 AM

Due to how the UF operates, Linux capabilities are not an option. The access system call will incorrectly claim that the splunkd cannot open the file, when an actual attempt to open it for reading would succeed, so splunkd never tries.

Some of us have found this problem and spent time confirming the issue.

I've used setfacl, though that is a bit fragile at times. If you only have a very fixed number of files, you could write a configuration management policy to ensure file acls and default file acls are set for the appropriate files and logs. If you do use file ACLs, make sure and set the default file ACLs on the directory, and set log rotation parameters appropriately (default ACLs protect you from most log rotation issues, unless you create new directories).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...