Hello,
I am working with a Linux system and a universal forwarder.
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-12-amd64
Architecture: x86-64
when I checked opt/splunkforwarder/etc/system/local and ran ls -l I noticed that root root had permission in there as well as splunk splunk. Should splunk splunk own everything in the universal forwarder directory?
-rw-r--r-- 1 root root 283 Apr 30 2020 inputs.conf
-rw------- 1 root root 45 Apr 21 2020 migration.conf
-rw-r--r-- 1 root root 222 Apr 23 2020 outputs.conf
-r--r--r-- 1 splunk splunk 265 Mar 30 2020 README
-rw------- 1 splunk splunk 431 Sep 23 2019 server.conf
-rw-r--r-- 1 splunk splunk 65 Jun 3 13:38 user-seed.conf
-rw-r--r-- 1 root root 40 Sep 23 2019 web.conf
Installation might have been done in root & service is running under splunk user which could have created the splunk file. Changing it to splunk user will not have any impact if service is running under splunk.
chown splunk:splunk /opt/splunkforwarder
Installation might have been done in root & service is running under splunk user which could have created the splunk file. Changing it to splunk user will not have any impact if service is running under splunk.
chown splunk:splunk /opt/splunkforwarder