universal forwarder scripts linux

jsb22 · ‎09-25-2012

I am leveraging the rlog.sh script on a universal forwarder. The forwarder receives it's confuration in the form of a deployment app from a deployment server(windows). When the client pulls the package, the machine recognizes the rlog.sh script as a new file and sets the default permissions (no execute bit due to umask settings). Splunk then throws an error of "permissions denied" when running the script. I can resolve the issue temporarily by adding execute permissions for the owner after the file is pulled to the client, but any time the client pulls the package down again, it resets the permissions. I'm unable to modify our umask values due to security requirements.
The rlog.sh script is leveraged in the inputs.conf as follows:

[script://./bin/rlog.sh]

sourcetype = auditd

source = auditd

interval = 60

disabled = 0

followTail=1

Any ideas on how to get splunk to recognize it is an executable without setting permissons for an executable (i.e. rw-r------ instead of (rwxr-----)?

lzaexpert · ‎11-30-2018

I´m having to same issue to ! Is the only solution is to install the DS on a linux machine ?

Thanks for your help
Laurent

beaunewcomb · ‎02-14-2014

Bump. I'm having the same issue.

universal forwarder scripts linux

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...