Getting Data In

Why does Splunk service startup change permissions on outputs.conf to read only on my Windows universal forwarder?

rob_gibson
Path Finder

I am deploying new certificates to a number of UF's running on Windows Servers 2008 R2. This environment is restricted and I do not have admin rights on the server. Prior to the steps below I have full rights to the $SPLUNK_HOME directory and sub dirs.

During this process I stop the Splunk Universal Forwarder service, rename the existing outputs.conf to outputs.old and copy a new outputs.conf from a network share, then restart the UF service (as well as copying new cert files).

After starting splunk, the permissions (not file attributes) change from RW to Read only and I no longer have access to edit outputs.conf.

Is this expected behaviour and can I stop this from happening? I realize I can edit the existing outputs.conf file vs replacing it, but I would like to stop splunk from setting permissions at all.

0 Karma

lycollicott
Motivator

This is just a shot in the dark, but your Windows admins might have GPO doing something when services restart.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...