Re: Splunk Universal forwarder Permission issue

ram254481493 · ‎07-10-2019

My splunk universal forwarder is not reading the logs from var/log directory , even not sending the splunkd logs to my search-head , This seems to me as a permission issue in first place , can any one help me out with the command or how can i tell my forwarder to read the logs from var/log directory ?

nabeel652 · ‎07-10-2019

Not being able to send splunkd logs is strange.

Have you tried the command

./splunk list forward-server (on linux)

splunk list forward-server (on Windows) under $SPLUNK_HOME/bin directory

marycordova · ‎07-10-2019

You are not even receiving the _internal splunk logs from the forwarder? Sounds more like a network layer issue than a permissions issue.

Check your network path, telnet or something, first.

Then, maybe remove the forwarder, re-install as root and check if you have logs. If you do then it's a permission issue. Remove the install as root, re-install as whatever user you want to use then make sure that user account is added to the group that can read the logs you want or make the logs readable by the user the forwarder is installed as.

At the very least you should be able to tail the splunkd.log file and check for any errors there.

@marycordova

Splunk Universal forwarder Permission issue

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Splunk Universal forwarder Permission issue

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk