Getting Data In

Why is the forwarder unable to read logs owned by a different functional user ID?

New Member

I have a Splunk forwarder under oraepm functional user and I am trying to read logs that are owned by a different functional userid.

Do I need to install one more Splunk forwarder with the new userid?

0 Karma
1 Solution

Motivator

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Installing more than one forwarder on a system is complicated and usually doesn't work as expected.
The preferred solution is to use ACLs to grant user oraepm read access to the logs.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

thank you I have grant user oraepm read access to the logs.

0 Karma

Motivator

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

View solution in original post

0 Karma

New Member

thank you I have grant user oraepm read access to the logs.

0 Karma