Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

dealing with UF user change (linux)

ilhwan
Path Finder
‎10-28-2024 11:08 AM

I haven't upgraded UF in a while, and I'm having some trouble figuring out how I should proceed with bringing it up to date.  I see that the current version has changed the user from splunk to splunkfwd.  I also see that updating an existing UF keeps the user as splunk (this seems to work but not always).  This will means that new installations will use a different username than updated UF.

This is a problem for me because I use scripts to make the permission changes to give splunk access to the appropriate log files.  I'm not finding a lot of guidance on how to keep this sane.  How have other organizations dealt with this?

I'm tempted to uninstall UF and do a fresh install on every system.  That will force me to manage splunk servers differently than other linux servers, but that has to be less complicated than trying to keep track of which systems use splunk and which use splunkfwd.

Labels (2)
Labels
0 Karma
Reply

dural_yyz
Motivator
‎10-28-2024 01:56 PM

Do you use scripts to do your install/upgrade.  Post event could you not just CHOWN the whole directory back to the original user of splunk to run as you originally have done.

There are many reasons why this might not work for you.  Honestly though given that this is the new direction it would be something you have to carry forward with every upgrade.  While it would be a big lift the idea of moving everything over now might be easier than trying to always revert back to splunk user.

0 Karma
Reply

ilhwan
Path Finder
‎10-28-2024 02:19 PM

I'd rather chown the old version and make it match the new one.  I think I tried that on one of my update tests, and it complained a lot before failing.  That's kinda why I'm thinking of uninstalling the old one and installing it fresh.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...