I am deploying new certificates to a number of UF's running on Windows Servers 2008 R2. This environment is restricted and I do not have admin rights on the server. Prior to the steps below I have full rights to the $SPLUNK_HOME directory and sub dirs.
During this process I stop the Splunk Universal Forwarder service, rename the existing outputs.conf to outputs.old and copy a new outputs.conf from a network share, then restart the UF service (as well as copying new cert files).
After starting splunk, the permissions (not file attributes) change from RW to Read only and I no longer have access to edit outputs.conf.
Is this expected behaviour and can I stop this from happening? I realize I can edit the existing outputs.conf file vs replacing it, but I would like to stop splunk from setting permissions at all.
This is just a shot in the dark, but your Windows admins might have GPO doing something when services restart.