Hi
I'm about to install the splunk header as non-root user in our environment and just read in the documentation that splunkuser should have access to /dev/urandom script in linux box which is owned by root
I'm installing splunk as non-root user called a splunkusr and it is added to a group called splunkgrp.Do I have to do anything specifically to give access to /dev/urandom for splunkusr? or is it something splunk will manage to access /dev/urandom during inital startup?
spluker_123
Splunk does not take care of this - you need to do it in Linux. Signed in as root, you can change the permissions to the /dev/urandom script and any directories that you want Splunk to monitor (like /var/log). chmod
should be all that you need to do...
HTH
In Linux one approach to setting up a splunk service account user is to do the nomal linux adduser command.
Created a group "splunkadmins" and added the specific accounts to that group.
In sudoers add these lines for splunkadmins.
%splunkadmins ALL=(splunk) NOPASSWD: ALL, !/bin/sh, !/bin/bash, !/sbin/nologin, !/bin/bash2, !/bin/ash, !/bin/bsh, !/bin/ksh, !/bin/tcsh, !/bin/csh, !/bin/zsh
%splunkadmins ALL=NOPASSWD:/sbin/service splunk *, /usr/sbin/tcpdump *
The first allows anyone in the splunkadmins group to become the splunk user using sudo.
The second is the ability for anyone in that group to restart the splunk service (or use tcpdump).
As long ad you used enable boot-start with the user flag set to this splunk user you should be all set.
Splunk does not take care of this - you need to do it in Linux. Signed in as root, you can change the permissions to the /dev/urandom script and any directories that you want Splunk to monitor (like /var/log). chmod
should be all that you need to do...
HTH