Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Linux: Splunk Universal Forwarder as non-root with supplementary groups

DATEVeG
Path Finder
‎09-01-2020 06:53 AM

Hi,

 

our splunk  universal forwarder is runnning under a non-root service account, which is defined in our central ldap.

 

We upgraded our universal forwarder from 7.3.7 to 8.0.5 and now our forwarder cannot monitor our file anymore.

 

The file to be monitored is set as following:

#ls -al /tmp/ldap-group-test

-rw-r-----. 1 root ldapgroup 100 Sep 1 09:27 /tmp/ldap-group-test

 

Our splunk service account user is a member of the group ldapgroup:

#id ldapsplunk
uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup),100009(ldapgroup)

 

In Splunk with a universal forwarder in version 8.0.5 we get a permission denied.

If we use a scripted input (inputs.conf) to display the user and group context of the currently running splunk forwarder session:

bin/display_groups.sh

#/bin/bash

hostname=$(hostname)
time=$(date +%s)
id=$(id)
rc=$?

echo "${time} - ${hostname} - ${id} - ${rc}"

we get as output:

1598967093 - splunkhost.bla.fasel.de - uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup) context=system_u:system_r:unconfined_service_t:s0 - 0

 

As you can see, the membership of ldapgroup is missing here.

It seems that during the start process of the universal forwarder, the permissions for ldap groups aren't passed correctly.

 

Has anyone already noticed this? Are there any workarounds other than downgrading to version 7.3?

Thanks

- Lorenz

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 07:40 AM

I have tested your scenario, my splunk is running with user splunk and group splunk

I have created a new group added user to new group also.

I have created test.sh with code you shared.

when I ran test.sh using splunk cmd bash test.sh 

I can see old group and new group. 

I don't that is an issue with Splunk.

————————————
If this helps, give a like below.
0 Karma
Reply

DATEVeG
Path Finder
‎09-01-2020 08:41 AM

Hi,

 

local groups are working for me as well. The problem is only with groups from ldap.

Did you try with ldap groups?

And: Did you really try to run my script as a real scripted input via inputs.conf and not over regular cli?

 

- Lorenz

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...