Can anyone tell me the best practice for splunkfwd user to access others and root own dir/logs ?
Not interested in changing dir/log ownership.
We could do ACL - lots of work there.
Out of the box what is the access level of the splunkfwd post install ?
Enable the CAP_DAC_READ_SEARCH capability. See https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/Installleastprivileged