Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spot permissions denied errors- How could I spot this issue in the first place ?

GaetanVP
Communicator
‎01-06-2023 01:03 AM

Hello Splunkers,

I faced the following issue :

I deployed an app on a UF, this app should monitor a specific file in my machine let's say /<my_file>

The thing is I'm running Splunk service as a non root user (splunk user) and this user does not have permission to read this file. I know how to solve this with setfacl command, but how could I spot this issue in the first place ?

I thought that this permission error would have been visible in splunkd.log but it's not the case... I am trying to find a way to monitor the other possible "permissions denied" errors without manually log in as the splunk user and try to open the specific files.

Thanks a lot,

GaetanVP

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎01-06-2023 02:57 AM

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎01-06-2023 02:57 AM

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

GaetanVP
Communicator
‎01-06-2023 05:19 AM

Hello @gcusello,

Good guess, I indeed have "Permission denied" in some WARN message (failed to open for checksum - for a .gz file)

But I also have the following string "Reason: cannot_open" (this time it is for a single file) 

I suppose there is different string to search based on the type of files / folder, but your answer helped, thanks !

GaetanVP

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...