- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- splunkd is not running
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm currently building my own home instance and I'm having some trouble with my UF.
So far I've :
- installed the latest / correct version for my Ubuntu - Linux system
- sudo chown -RP splunk:splunk /opt/splunkforwarder/
- searched through SplunkForwarder.service to see if the correct user is applied (which it is)
- tried re-installing and running
./splunk enable boot-startas splunk user, and as root.
When using the splunk user, I have to authenticate as root anyway but i get the same results for both
./splunk start
results in "Done" after authentication
./splunk status
results in:
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk:splunkfwd /opt/splunkforwarder"
Couldn't change ownership for /opt/splunkforwarder/etc : Operation not permitted
splunkd is not running.
./splunk enable boot-start
results in:
" A systemd unit file already exists at path ="/etc/systemd/system/SplunkForwarder.service". To add a Splunk generated systemd unit file, run 'splunk disable boot-start' before running this command. If there are custom settings that have been added to the unit file, create a backup copy first.
It seems no matter which account I use or which user has permissions, I'm unable to have access to any of the files under "/opt/splunkforwarder" nor am I able to start the UF itself or configure boot-start.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created.
Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/KnownIssues)
Workaround - https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installleastprivileged
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be a known issue with 9.1. As you can see a minimum privileged user splunkfwd is automatically created.
Reference : SPL-242093, SPL-242240 (https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/KnownIssues)
Workaround - https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installleastprivileged
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help. Turns out I was using the "splunk:splunk" user and group instead of "splunkfwd". a clean install and correct addition of permissions helped
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
