Hello,
I noticed that in versions upper 9.1, the user and group were changed to "splunkfwd"
I have updated the universal forwarder to the newer version (9.1), but the user and group did not change to "splunkfwd." Subsequently, we encountered several problems related to permissions, such as the Universal Forwarder lacking permission to read auditd logs. Therefore, it is necessary to modify the "log_group" parameter in the auditd.conf file.
Should I manually change it, or is there an alternative solution to resolve all permission problems?
I have updated the universal forwarder with RPM and deb packages and following commands:
rpm -Uvh and dpkg -i
Wait a second. You did both on the same host? rpm and deb?
How did you install and upgrade your forwarder? RPM? deb? tgz?
I have updated the universal forwarder with RPM and deb packages and following commands:
rpm -Uvh and dpkg -i