I am leveraging the rlog.sh script on a universal forwarder. The forwarder receives it's confuration in the form of a deployment app from a deployment server(windows). When the client pulls the package, the machine recognizes the rlog.sh script as a new file and sets the default permissions (no execute bit due to umask settings). Splunk then throws an error of "permissions denied" when running the script. I can resolve the issue temporarily by adding execute permissions for the owner after the file is pulled to the client, but any time the client pulls the package down again, it resets the permissions. I'm unable to modify our umask values due to security requirements.
The rlog.sh script is leveraged in the inputs.conf as follows:
sourcetype = auditd
source = auditd
interval = 60
disabled = 0
Any ideas on how to get splunk to recognize it is an executable without setting permissons for an executable (i.e. rw-r------ instead of (rwxr-----)?