Installation

How to install Splunk Enterprise as non-root user RHEL 9?

LinghGroove
Explorer

Hello, I am having troubles with the installation of Splunk Enterprise as non-root user. I think it may be some kind of problem with Red Hat Enterprise v9 or maybe systemd. Online, even in the documentation and in the community, i was not able to find precise informations on how to execute the installation as non-root user (even for non-fedora systems). Consulting online resources i came up with this steps: 

 

 

sudo su
useradd splunk
mv package.rpm /tmp; cd tmp
rpm -i package.rpm 
ls -l /opt/ | grep splunk #i don't give ownership to /opt/splunk to the user splunk because with the installation it is automatic 
su - splunk
cd /opt/splunk/bin
./splunk start --accept-license
PIDS=$(/opt/splunk/bin/splunk status | grep splunkd | awk {'print$5'} | tr -d \)\.); ps -p $PIDS -o ruser= #to check if it is executed by splunk
./splunk stop
exit
/opt/splunk/bin/splunk enable boot-start -systemd-managed 1 #the boot-start is started after the /splunk start, for some strange reason if i put the boot-start before the start it doesn't let me use the splunk command
su - splunk
/opt/splunk/bin/splunk start
exit

# for the integrated firewall problem:
sudo su
firewall-cmd --zone=public --add-port=8000/tcp --permanent;
firewall-cmd --zone=public --add-port=8089/tcp --permanent;
firewall-cmd --zone=public --add-port=9997/tcp --permanent;
firewall-cmd --zone=public --add-port=9887/tcp --permanent;
firewall-cmd --reload

 

 

 

 they are far from perfect but for some strange reason this steps make it all work. Unfortunatly i am not confident with this solution and i don't want to use it in a production enviroment. So i am here to ask you if some of you know some better steps to do this installation. If you have some best practices that i am ignoring i would be glad to hear them. Thanks a lot in advance 🙂

Labels (4)
Tags (2)
0 Karma
1 Solution

shivanshu1593
Builder

Once you have enabled boot-start, then why try to bring Splunk up from /opt/splunk/bin. Just run the command systemctl start Splunkd.service (Or whatever name systemd gave while enabling boot-start) and you should be good to go as you basically confirm that permissions look good to you.

Regarding your question about putting boot-start before splunk start, I haven't seen it work like that. Splunk enterprise needs to be installed first before you enable boot-start. So doing what your script is currently doing is the right way.

++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

There shouldn't be any issue to use another user than root to run splunk. Couple of think what you must do to get it working.

  • after yum/dnf/rpm installation you must check that those files are owned by correct user (chown -fR splunk:splunk /opt/splunk)
  • sudo -u splunk bash
  • /opt/splunk/bin/splunk start --accept-license --answer-yes
    • give admin user account name + password for it when splunk ask those (don't os user!)
  • /opt/splunk/bin/splunk stop
  • back to root
  • then /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk
  • After that is should start/stop/restart with systemctl splunkd restart etc. (check correct service name)
  • Update/add needed firewalld ports etc and selinux requirements

r. Ismo

fenice
Engager

Thanks for those wonderfully simple instructions, they're even better than the product documentation. 🙂

I'm a user of the 'free' version which I've been using for years as an enthusiastic home user. Unfortunately my Splunk VM decided to go AWOL and was totally inaccessible and eventually I had to delete it and start again. Although I've lost my old data the new server was up and running in a very short  time. Thanks again for your post.

 

Regards

 

Bil

shivanshu1593
Builder

Once you have enabled boot-start, then why try to bring Splunk up from /opt/splunk/bin. Just run the command systemctl start Splunkd.service (Or whatever name systemd gave while enabling boot-start) and you should be good to go as you basically confirm that permissions look good to you.

Regarding your question about putting boot-start before splunk start, I haven't seen it work like that. Splunk enterprise needs to be installed first before you enable boot-start. So doing what your script is currently doing is the right way.

++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...