I created a script to install the splunkforwarder on the clients.
The script is called on the main indexer and manages all the clients, but I'm logged in using ssh as root, so:
During the execution of the script, I'm creating a new user "splunk":
and I assign the owner permissions of Splunk at the user:
chown -hR splunk /opt/splunk
Next I stop splunk and I do:
sudo -i -u splunk
To access as the new user and I restart Splunk.
Executing the command
whoami, I'm still running Splunk as root. I have tried to execute all the same commands manually, from the terminal, and they were correctly working.
I think is there some trouble changing the user, so in the last comment above.
What can I do?
Let me know, thank you
Ideally, you would make your script untar the package, create a user (or the other way round),
chown the new directory to the user before starting splunk for the first time, start splunk as the new user with something like the already mentioned
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license, and set the autostart to use that user as well with
$SPLUNK_HOME/bin/splunk enable boot-start -user splunk - see here and here for docs.
sudo -H -u splunk is not working : (
I've already added
$SPLUNK_HOME/bin/splunk enable boot-start -user splunk $SPLUNK_HOME/bin/splunk start --accept-license
But seems like it's not changing user
You are doing this on a new machine, right?
I've done the above steps many times, and it works like a charm. Just don't start splunk while the directory is not yet owned by the splunk user and don't start it as root. Actually, I've always used
su splunk for that, never that command (but it is mentioned in the docs so it should work - but see the notice about what the command assumes in the first link above).
whoami does not do what you think it does. It just says "what user identity am I using right now", not "what user is the process running". You need to do this:
ps -ef | grep splunkd
You should see something like this:
splunk 17145 1 1 Jul29 ? 01:21:01 splunkd -p 8089 restart
But if that is not the problem...
This all looks correct and, as you say, it works when you run it manually. So the problem has to be in your script (duh!). Are you checking all error codes after each step ($?)? Are you using the full path name for each command (eg.
/usr/sbin/useradd, not just
useradd)? Are you certain that your update script is being run as user root (you can check this as the first thing the script does)?
Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user.
I have another question, during the installation I have this error:
Can't create directory "/root/.splunk": Permission denied
I think it's still related to the user, do you have any ideas why?
Thank you so much for your help : )
What do you mean by "installation"? Are you using a tarball? What is your installation command? Why are we being so vague? Just list out exactly what is in your script, line-by-line and maybe we can get somewhere.
Yes, sorry, this is the script:
#!/bin/sh INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz" #The script doesn't require the creation of a public pair ssh key # After installation, the forwarder will become a deployment client the passed argument $1 # Specify the host and management (not web) port of the deployment server # that will be managing these forwarder instances. DEPLOY_SERVER="$1" #outputs.conf OUTPUTS='[tcpout]\n defaultGroup= default-autolb-group\n\n [tcpout:default-autolb-group]\n\n server = $DEPLOY_SERVER:9997\n\n [tcpout-server://$DEPLOY_SERVER:9997]' #Input to monitor needs to be changed INPUTS='[monitor:///var/log/*]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/messages]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/lastlog]\n sourcetype=syslog\n host_segment=3\n index=test\n\n' echo 'checking network...' if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt useradd splunk chown -R splunk /opt chown -hR splunk /var /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license -- answer-yes sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license -- answer-yes --auto-ports --no-prompt -auth admin:changeme cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf echo -e $OUTPUTS > outputs.conf echo -e $INPUTS > inputs.conf /opt/splunkforwarder/bin/splunk restart else echo 'Seems that your machine is not connected with internet, before to procede be sure that the installation file is on your machine'; fi echo "---------------------------" echo "Done"
I try the command and splunk is actually running as root : (
I'm typing adduser splunk nothing else, and I'm executing only one step:
email@example.com "command list"
where in command list there are:
useradd splunk chown -hR splunk /opt/splunk /opt/splunk/bin stop sudo -i -u splunk /opt/splunk/bin start
So I dunno what's wrong, and thank you for the help