Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Linux: Splunk Universal Forwarder as non-root with supplementary groups

DATEVeG
Path Finder
‎09-01-2020 06:53 AM

Hi,

 

our splunk  universal forwarder is runnning under a non-root service account, which is defined in our central ldap.

 

We upgraded our universal forwarder from 7.3.7 to 8.0.5 and now our forwarder cannot monitor our file anymore.

 

The file to be monitored is set as following:

#ls -al /tmp/ldap-group-test

-rw-r-----. 1 root ldapgroup 100 Sep 1 09:27 /tmp/ldap-group-test

 

Our splunk service account user is a member of the group ldapgroup:

#id ldapsplunk
uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup),100009(ldapgroup)

 

In Splunk with a universal forwarder in version 8.0.5 we get a permission denied.

If we use a scripted input (inputs.conf) to display the user and group context of the currently running splunk forwarder session:

bin/display_groups.sh

#/bin/bash

hostname=$(hostname)
time=$(date +%s)
id=$(id)
rc=$?

echo "${time} - ${hostname} - ${id} - ${rc}"

we get as output:

1598967093 - splunkhost.bla.fasel.de - uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup) context=system_u:system_r:unconfined_service_t:s0 - 0

 

As you can see, the membership of ldapgroup is missing here.

It seems that during the start process of the universal forwarder, the permissions for ldap groups aren't passed correctly.

 

Has anyone already noticed this? Are there any workarounds other than downgrading to version 7.3?

Thanks

- Lorenz

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 07:40 AM

I have tested your scenario, my splunk is running with user splunk and group splunk

I have created a new group added user to new group also.

I have created test.sh with code you shared.

when I ran test.sh using splunk cmd bash test.sh 

I can see old group and new group. 

I don't that is an issue with Splunk.

————————————
If this helps, give a like below.
0 Karma
Reply

DATEVeG
Path Finder
‎09-01-2020 08:41 AM

Hi,

 

local groups are working for me as well. The problem is only with groups from ldap.

Did you try with ldap groups?

And: Did you really try to run my script as a real scripted input via inputs.conf and not over regular cli?

 

- Lorenz

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...