Getting Data In

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

New Member

I'm trying to install Splunk Universal Forwarder on Red Hat OS. I am getting stuck at this step. Before this command, I've already ran:

chown -R splunk /opt/app/splunkforwarder
chmod -R 755 /opt/app/splunkforwarder

The permissions and groups are all there. For some reason, it seems like it can't create /opt/app/splunkforwarder/var folder.

[root@server etc]# /opt/app/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license

Warning: cannot create "/opt/app/splunkforwarder/var/log/splunk"

Warning: cannot create "/opt/app/splunkforwarder/var/log/introspection"
First-time-run has not finished.  Ignore this error when previewing migration - exiting.
0 Karma


I think the issue is that when you run chown -R splunk /opt/app/splunkforwarder you are instructing that the ownership of these folders and subfolders shouldo be changed to a user called splunk

However when you are running the Splunk binary you are running it as a root:
[root@server etc]# /opt/app/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license

Switch to user splunk and then run, which should sort it out.

Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...