When installing the universal forwarder, why is it...

dmacndawk · ‎11-09-2016

I'm trying to install Splunk Universal Forwarder on Red Hat OS. I am getting stuck at this step. Before this command, I've already ran:

chown -R splunk /opt/app/splunkforwarder
chmod -R 755 /opt/app/splunkforwarder

The permissions and groups are all there. For some reason, it seems like it can't create /opt/app/splunkforwarder/var folder.

[root@server etc]# /opt/app/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license

Warning: cannot create "/opt/app/splunkforwarder/var/log/splunk"

Warning: cannot create "/opt/app/splunkforwarder/var/log/introspection"
First-time-run has not finished.  Ignore this error when previewing migration - exiting.

gokadroid · ‎11-09-2016

I think the issue is that when you run chown -R splunk /opt/app/splunkforwarder you are instructing that the ownership of these folders and subfolders shouldo be changed to a user called splunk

However when you are running the Splunk binary you are running it as a root:
[root@server etc]# /opt/app/splunkforwarder/bin/splunk enable boot-start -user splunk --accept-license

Switch to user splunk and then run, which should sort it out.

When installing the universal forwarder, why is it unable to create /opt/app/splunkforwarder/var folder?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?