Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk internal logs stopped logging; can you please provide information about permission setup for log files?

dbanerjee17
New Member
‎04-21-2018 11:38 AM

Hello Splunkers:
This question is for the splunkers who are running their instances with splunk user.
Three logs have stopped logging since April 17, 2018. They are splunkd.log, metrics.log and splunk-access.log. Also, now I am getting access denied error for splunkd.log while restarting splunk and also KV store failed due to access denied error for /mnt/data/splunk/kvstore/mongo/_tmp directory. Our splunk instance runs with splunk user. On 17th, I, by mistake started with root user. After realizing it, I stopped and restarted splunk with splunk user. Just after that, the problem started. All the three logs files and_tmp directory mentioned above are currently running with root. All others are running with splunk user all other files have splunk ownership. I am not sure whether the above mentioned log files and _tmp direct should be with splunk ownership. I have struggling with issue for the past few days. Any help on this will be highly appreciated. Can you please check your instances and let me know the ownership of the splunkd.log, metrics.log, splunk-access.log and /mnt/data/splunk/kvstore/mongo/_tmp directory?
Thank you in advance.
Deb

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎04-24-2018 12:57 AM

When you accidentally started it as root, several files will have changed ownership to root. When switching back to splunk user, the splunk process lost access to those files.

What you should have done (and should now do) is:

  1. stop splunk
  2. set the ownership of the entire splunk folder (and other locations it uses) to the splunk user and its group
  3. start splunk as splunk user

To prevent this issue in the future:

  1. go to splunk/etc/
  2. mv splunk-launch.conf.default splunk-launch.conf
  3. on the bottom line activate the setting: SPLUNK_OS_USER = splunk

This will force splunk to always start as that user, regardless of which account you use to execute the splunk start command.

0 Karma
Reply

janispelss
Path Finder
‎04-24-2018 12:37 AM

As far as I'm aware, all files and directories in your Splunk installation path should be owned by the same user that's used for running Splunk. And it's definitely the case for the files you mentioned.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...