Hi All,
So , What happens when I restart universal forwarder as root user on Linux . And Previously if done so what needs to be done if anything goes wrong
I am missing one of the log file on a particular host , but remaining logs from different sources are working fine from the same host
So restarted UF as root user ,but didn't worked
Any help ?
Thanks
Certain files will change owner, causing stuff to break when you then restart it under the regular user). Solution:
Stop the forwarder (as root)
chown the entire splunk directory to the correct user:group
Start the forwarder (as the correct user)
Certain files will change owner, causing stuff to break when you then restart it under the regular user). Solution:
Stop the forwarder (as root)
chown the entire splunk directory to the correct user:group
Start the forwarder (as the correct user)
Will that work ? And The missing log from a particular source will start indexing again if I restart the splunk UF as splunk user.
And what the thing called fish bucket .bat files in this scenario?
Not sure what the issue was with that specific log that failed to index. But in general, when a splunk instance that used to be running as a normal user, accidentally got restarted as root. What I posted is the solution to get things back to normal.
Ok @FrankVl , Thanks for your quick response
Thank you 🙂