Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spot permissions denied errors- How could I spot this issue in the first place ?

GaetanVP
Contributor
‎01-06-2023 01:03 AM

Hello Splunkers,

I faced the following issue :

I deployed an app on a UF, this app should monitor a specific file in my machine let's say /<my_file>

The thing is I'm running Splunk service as a non root user (splunk user) and this user does not have permission to read this file. I know how to solve this with setfacl command, but how could I spot this issue in the first place ?

I thought that this permission error would have been visible in splunkd.log but it's not the case... I am trying to find a way to monitor the other possible "permissions denied" errors without manually log in as the splunk user and try to open the specific files.

Thanks a lot,

GaetanVP

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-06-2023 02:57 AM

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-06-2023 02:57 AM

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

GaetanVP
Contributor
‎01-06-2023 05:19 AM

Hello @gcusello,

Good guess, I indeed have "Permission denied" in some WARN message (failed to open for checksum - for a .gz file)

But I also have the following string "Reason: cannot_open" (this time it is for a single file) 

I suppose there is different string to search based on the type of files / folder, but your answer helped, thanks !

GaetanVP

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...