Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Install splunk as non root user

splunker_123
Path Finder
‎05-29-2012 09:10 AM

Hi

I'm about to install the splunk header as non-root user in our environment and just read in the documentation that splunkuser should have access to /dev/urandom script in linux box which is owned by root

I'm installing splunk as non-root user called a splunkusr and it is added to a group called splunkgrp.Do I have to do anything specifically to give access to /dev/urandom for splunkusr? or is it something splunk will manage to access /dev/urandom during inital startup?

spluker_123

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-29-2012 11:18 AM

Splunk does not take care of this - you need to do it in Linux. Signed in as root, you can change the permissions to the /dev/urandom script and any directories that you want Splunk to monitor (like /var/log). chmod should be all that you need to do...

HTH

View solution in original post

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎07-01-2014 06:32 PM

In Linux one approach to setting up a splunk service account user is to do the nomal linux adduser command.

Created a group "splunkadmins" and added the specific accounts to that group.
In sudoers add these lines for splunkadmins.

%splunkadmins ALL=(splunk) NOPASSWD: ALL, !/bin/sh, !/bin/bash, !/sbin/nologin, !/bin/bash2, !/bin/ash, !/bin/bsh, !/bin/ksh, !/bin/tcsh, !/bin/csh, !/bin/zsh

%splunkadmins ALL=NOPASSWD:/sbin/service splunk *, /usr/sbin/tcpdump *

The first allows anyone in the splunkadmins group to become the splunk user using sudo.
The second is the ability for anyone in that group to restart the splunk service (or use tcpdump).

As long ad you used enable boot-start with the user flag set to this splunk user you should be all set.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-29-2012 11:18 AM

Splunk does not take care of this - you need to do it in Linux. Signed in as root, you can change the permissions to the /dev/urandom script and any directories that you want Splunk to monitor (like /var/log). chmod should be all that you need to do...

HTH

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...