Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the forwarder unable to read logs owned by a different functional user ID?

thirulog
New Member
‎12-04-2017 08:35 AM

I have a Splunk forwarder under oraepm functional user and I am trying to read logs that are owned by a different functional userid.

Do I need to install one more Splunk forwarder with the new userid?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lycollicott
Motivator
‎12-04-2017 10:44 AM

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2017 10:51 AM

Installing more than one forwarder on a system is complicated and usually doesn't work as expected.
The preferred solution is to use ACLs to grant user oraepm read access to the logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

thirulog
New Member
‎12-04-2017 11:52 AM

thank you I have grant user oraepm read access to the logs.

0 Karma
Reply
Solved! Jump to solution
Solution

lycollicott
Motivator
‎12-04-2017 10:44 AM

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

0 Karma
Reply
Solved! Jump to solution

thirulog
New Member
‎12-04-2017 12:33 PM

thank you I have grant user oraepm read access to the logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...