Getting Data In

Why does Splunk service startup change permissions on outputs.conf to read only on my Windows universal forwarder?

Path Finder

I am deploying new certificates to a number of UF's running on Windows Servers 2008 R2. This environment is restricted and I do not have admin rights on the server. Prior to the steps below I have full rights to the $SPLUNK_HOME directory and sub dirs.

During this process I stop the Splunk Universal Forwarder service, rename the existing outputs.conf to outputs.old and copy a new outputs.conf from a network share, then restart the UF service (as well as copying new cert files).

After starting splunk, the permissions (not file attributes) change from RW to Read only and I no longer have access to edit outputs.conf.

Is this expected behaviour and can I stop this from happening? I realize I can edit the existing outputs.conf file vs replacing it, but I would like to stop splunk from setting permissions at all.

0 Karma


This is just a shot in the dark, but your Windows admins might have GPO doing something when services restart.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!