Solved: Re: Spot permissions denied errors

GaetanVP · ‎01-06-2023

Hello Splunkers,

I faced the following issue :

I deployed an app on a UF, this app should monitor a specific file in my machine let's say /<my_file>

The thing is I'm running Splunk service as a non root user (splunk user) and this user does not have permission to read this file. I know how to solve this with setfacl command, but how could I spot this issue in the first place ?

I thought that this permission error would have been visible in splunkd.log but it's not the case... I am trying to find a way to monitor the other possible "permissions denied" errors without manually log in as the splunk user and try to open the specific files.

Thanks a lot,

GaetanVP

gcusello · ‎01-06-2023

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎01-06-2023

Hi @GaetanVP,

you can search "permission denied" in _internal index for that host in Splunk Search & Reporting App.

Ciao.

Giuseppe

GaetanVP · ‎01-06-2023

Hello @gcusello,

Good guess, I indeed have "Permission denied" in some WARN message (failed to open for checksum - for a .gz file)

But I also have the following string "Reason: cannot_open" (this time it is for a single file)

I suppose there is different string to search based on the type of files / folder, but your answer helped, thanks !

GaetanVP

Spot permissions denied errors- How could I spot this issue in the first place ?

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!