Linux: Splunk Universal Forwarder as non-root with supplementary groups

Path Finder



our splunk  universal forwarder is runnning under a non-root service account, which is defined in our central ldap.


We upgraded our universal forwarder from 7.3.7 to 8.0.5 and now our forwarder cannot monitor our file anymore.


The file to be monitored is set as following:

#ls -al /tmp/ldap-group-test

-rw-r-----. 1 root ldapgroup 100 Sep 1 09:27 /tmp/ldap-group-test


Our splunk service account user is a member of the group ldapgroup:

#id ldapsplunk
uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup),100009(ldapgroup)


In Splunk with a universal forwarder in version 8.0.5 we get a permission denied.

If we use a scripted input (inputs.conf) to display the user and group context of the currently running splunk forwarder session:



time=$(date +%s)

echo "${time} - ${hostname} - ${id} - ${rc}"

we get as output:

1598967093 - - uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup) context=system_u:system_r:unconfined_service_t:s0 - 0


As you can see, the membership of ldapgroup is missing here.

It seems that during the start process of the universal forwarder, the permissions for ldap groups aren't passed correctly.


Has anyone already noticed this? Are there any workarounds other than downgrading to version 7.3?


- Lorenz


Labels (2)
Tags (2)
0 Karma


I have tested your scenario, my splunk is running with user splunk and group splunk

I have created a new group added user to new group also.

I have created with code you shared.

when I ran using splunk cmd bash 

I can see old group and new group. 

I don't that is an issue with Splunk.

If this helps, give a like below.
0 Karma

Path Finder



local groups are working for me as well. The problem is only with groups from ldap.

Did you try with ldap groups?

And: Did you really try to run my script as a real scripted input via inputs.conf and not over regular cli?


- Lorenz

0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...