- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- How to install Splunk Enterprise as non-root user ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am having troubles with the installation of Splunk Enterprise as non-root user. I think it may be some kind of problem with Red Hat Enterprise v9 or maybe systemd. Online, even in the documentation and in the community, i was not able to find precise informations on how to execute the installation as non-root user (even for non-fedora systems). Consulting online resources i came up with this steps:
sudo su
useradd splunk
mv package.rpm /tmp; cd tmp
rpm -i package.rpm
ls -l /opt/ | grep splunk #i don't give ownership to /opt/splunk to the user splunk because with the installation it is automatic
su - splunk
cd /opt/splunk/bin
./splunk start --accept-license
PIDS=$(/opt/splunk/bin/splunk status | grep splunkd | awk {'print$5'} | tr -d \)\.); ps -p $PIDS -o ruser= #to check if it is executed by splunk
./splunk stop
exit
/opt/splunk/bin/splunk enable boot-start -systemd-managed 1 #the boot-start is started after the /splunk start, for some strange reason if i put the boot-start before the start it doesn't let me use the splunk command
su - splunk
/opt/splunk/bin/splunk start
exit
# for the integrated firewall problem:
sudo su
firewall-cmd --zone=public --add-port=8000/tcp --permanent;
firewall-cmd --zone=public --add-port=8089/tcp --permanent;
firewall-cmd --zone=public --add-port=9997/tcp --permanent;
firewall-cmd --zone=public --add-port=9887/tcp --permanent;
firewall-cmd --reload
they are far from perfect but for some strange reason this steps make it all work. Unfortunatly i am not confident with this solution and i don't want to use it in a production enviroment. So i am here to ask you if some of you know some better steps to do this installation. If you have some best practices that i am ignoring i would be glad to hear them. Thanks a lot in advance 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you have enabled boot-start, then why try to bring Splunk up from /opt/splunk/bin. Just run the command systemctl start Splunkd.service (Or whatever name systemd gave while enabling boot-start) and you should be good to go as you basically confirm that permissions look good to you.
Regarding your question about putting boot-start before splunk start, I haven't seen it work like that. Splunk enterprise needs to be installed first before you enable boot-start. So doing what your script is currently doing is the right way.
++If it helps, please consider accepting as an answer++
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
There shouldn't be any issue to use another user than root to run splunk. Couple of think what you must do to get it working.
- after yum/dnf/rpm installation you must check that those files are owned by correct user (chown -fR splunk:splunk /opt/splunk)
- sudo -u splunk bash
- /opt/splunk/bin/splunk start --accept-license --answer-yes
- give admin user account name + password for it when splunk ask those (don't os user!)
- /opt/splunk/bin/splunk stop
- back to root
- then /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk
- After that is should start/stop/restart with systemctl splunkd restart etc. (check correct service name)
- Update/add needed firewalld ports etc and selinux requirements
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for those wonderfully simple instructions, they're even better than the product documentation. 🙂
I'm a user of the 'free' version which I've been using for years as an enthusiastic home user. Unfortunately my Splunk VM decided to go AWOL and was totally inaccessible and eventually I had to delete it and start again. Although I've lost my old data the new server was up and running in a very short time. Thanks again for your post.
Regards
Bil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you have enabled boot-start, then why try to bring Splunk up from /opt/splunk/bin. Just run the command systemctl start Splunkd.service (Or whatever name systemd gave while enabling boot-start) and you should be good to go as you basically confirm that permissions look good to you.
Regarding your question about putting boot-start before splunk start, I haven't seen it work like that. Splunk enterprise needs to be installed first before you enable boot-start. So doing what your script is currently doing is the right way.
++If it helps, please consider accepting as an answer++
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Splunk Admins and App Developers | Earn a $35 gift card!
Enterprise Security Content Update (ESCU) | New Releases
Monitoring MariaDB and MySQL
