I created a script to install the splunkforwarder on the clients.
The script is called on the main indexer and manages all the clients, but I'm logged in using ssh as root, so:
During the execution of the script, I'm creating a new user "splunk":
and I assign the owner permissions of Splunk at the user:
chown -hR splunk /opt/splunk
Next I stop splunk and I do:
sudo -i -u splunk
To access as the new user and I restart Splunk.
Executing the command
whoami, I'm still running Splunk as root. I have tried to execute all the same commands manually, from the terminal, and they were correctly working.
I think is there some trouble changing the user, so in the last comment above.
What can I do?
Let me know, thank you
whoami does not do what you think it does. It just says "what user identity am I using right now", not "what user is the process running". You need to do this:
ps -ef | grep splunkd
You should see something like this:
splunk 17145 1 1 Jul29 ? 01:21:01 splunkd -p 8089 restart
But if that is not the problem...
This all looks correct and, as you say, it works when you run it manually. So the problem has to be in your script (duh!). Are you checking all error codes after each step ($?)? Are you using the full path name for each command (eg.
/usr/sbin/useradd, not just
useradd)? Are you certain that your update script is being run as user root (you can check this as the first thing the script does)?
I try the command and splunk is actually running as root : (
I'm typing adduser splunk nothing else, and I'm executing only one step:
email@example.com "command list"
where in command list there are:
useradd splunk chown -hR splunk /opt/splunk /opt/splunk/bin stop sudo -i -u splunk /opt/splunk/bin start
So I dunno what's wrong, and thank you for the help
Your last 2 commands should be this instead:
sudo -u splunk /opt/splunk/bin/splunk start
I tried to use this last command but when I use
ps -ef | grep splunkd
It's running under root again..
ps -ef command after you do the
stop command; maybe the stop command is failing. Are you checking return codes after each step?
Ok, so your system is working fine if I'm not using ssh, If I log using ssh it's not changing user.
I have another question, during the installation I have this error:
Can't create directory "/root/.splunk": Permission denied
I think it's still related to the user, do you have any ideas why?
Thank you so much for your help : )
What do you mean by "installation"? Are you using a tarball? What is your installation command? Why are we being so vague? Just list out exactly what is in your script, line-by-line and maybe we can get somewhere.
Yes, sorry, this is the script:
#!/bin/sh INSTALL_FILE="splunkforwarder-6.2.3-264376-Linux-x86_64.tgz" #The script doesn't require the creation of a public pair ssh key # After installation, the forwarder will become a deployment client the passed argument $1 # Specify the host and management (not web) port of the deployment server # that will be managing these forwarder instances. DEPLOY_SERVER="$1" #outputs.conf OUTPUTS='[tcpout]\n defaultGroup= default-autolb-group\n\n [tcpout:default-autolb-group]\n\n server = $DEPLOY_SERVER:9997\n\n [tcpout-server://$DEPLOY_SERVER:9997]' #Input to monitor needs to be changed INPUTS='[monitor:///var/log/*]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/messages]\n sourcetype=syslog\n host_segment=3\n index=test\n\n [monitor:///var/log/lastlog]\n sourcetype=syslog\n host_segment=3\n index=test\n\n' echo 'checking network...' if wget -q 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true' > /dev/null; then wget -O splunkforwarder-6.2.3-264376-Linux-x86_64.tgz 'http://www.splunk.com/bin/splunk/DownloadActivityServlet? architecture=x86_64&platform=Linux&version=6.2.3&product=universalforwarder&filename=spl unkforwarder-6.2.3-264376-Linux-x86_64.tgz&wget=true'> /dev/null; tar xvzf splunkforwarder-6.2.3-264376-Linux-x86_64.tgz -C /opt useradd splunk chown -R splunk /opt chown -hR splunk /var /opt/splunkforwarder/bin/splunk enable boot-start -user splunk --no-prompt --accept-license -- answer-yes sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto- ports --no-prompt --accept-license --answer-yes /opt/splunkforwarder/bin/splunk set deploy-poll \"$DEPLOY_SERVER:8089\" --accept-license -- answer-yes --auto-ports --no-prompt -auth admin:changeme cd /opt/splunkforwarder/etc/system/local/ touch inputs.conf cd /opt/splunkforwarder/etc/system/local/ touch outputs.conf echo -e $OUTPUTS > outputs.conf echo -e $INPUTS > inputs.conf /opt/splunkforwarder/bin/splunk restart else echo 'Seems that your machine is not connected with internet, before to procede be sure that the installation file is on your machine'; fi echo "---------------------------" echo "Done"
Ideally, you would make your script untar the package, create a user (or the other way round),
chown the new directory to the user before starting splunk for the first time, start splunk as the new user with something like the already mentioned
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start --accept-license, and set the autostart to use that user as well with
$SPLUNK_HOME/bin/splunk enable boot-start -user splunk - see here and here for docs.