Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder 9.4.1: Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk"

gpalau
New Member
‎04-17-2025 08:38 AM

I installed Splunk Forwarder 9.4.1 on macOS 15.4 and on first run I get a bunch of permission errors:

Warning: cannot create "/Applications/SplunkForwarder/var/log/splunk
Warning: cannot create "/Applications/SplunkForwarder/var/log/introspection"
Warning: cannot create "/Applications/SplunkForwarder/var/log/watchdog"
Warning: cannot create "/Applications/SplunkForwarder/var/log/client_events"

This appears to be your first time running this version of Splunk.
Could not open log file "/Applications/SplunkForwarder/var/log/splunk/first_install.log" for writing (2).

 

However these folders have the right permissions. A bit lost as to what to do here. 

Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-17-2025 09:17 AM

Hi @gpalau 

Please could you confirm the permissions that you have on the installation?

 ls -ltr /Applications/SplunkForwarder

Are you intending to run Splunk as your own user? 

According to the docs (https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#:~:text=for%20th...) Mac OS 15.4 Sequoia is not yet supported *however* I am running this myself on an M1 Silicon Mac running 15.4 without issue, so it should work, but consider that it might not be officially supported.

For reference, on my installation the permissions are as follows:

ls -l /Applications/ | grep SplunkForwarder                                                                                                                           
>> drwxr-xr-x@ 17 MyUsername  wheel  544 17 Apr 17:07 SplunkForwarder


ls -l /Applications/SplunkForwarder                                                                                                                                    
drwxr-xr-x  27 MyUsername  wheel    864 20 Feb 19:41 bin
-r--r--r--   1 MyUsername  wheel     57 20 Feb 16:30 copyright.txt
drwxr-xr-x  32 MyUsername  wheel   1024 17 Apr 17:07 etc
-rw-r--r--@  1 root           wheel      0 17 Apr 17:06 Icon?
drwxr-xr-x   3 MyUsername  wheel     96 20 Feb 19:23 include
drwxr-xr-x  32 MyUsername  wheel   1024 17 Apr 17:06 lib
-r--r--r--   1 MyUsername  wheel  59708 20 Feb 16:30 license-eula.txt
drwxr-xr-x   5 MyUsername  wheel    160 17 Apr 17:07 openssl
-r--r--r--   1 MyUsername  wheel    522 20 Feb 18:01 README-splunk.txt
drwxr-xr-x   4 MyUsername  wheel    128 20 Feb 19:23 share
-r--r--r--   1 MyUsername  wheel  53332 20 Feb 19:41 splunkforwarder-9.4.1-e3bdab203ac8-darwin-universal2-manifest
drwxr-xr-x   3 MyUsername  wheel     96 20 Feb 19:24 swidtag
-rw-r--r--   1 MyUsername  wheel      0 20 Feb 19:23 uf
drwx--x---   7 MyUsername  wheel    224 17 Apr 17:07 var

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-17-2025 11:23 AM
I can also confirm that UF is working on my environment with several macOS 15.4 both intel and M3. But initial versions of those have been lower than 9.4 and then those are updated.
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎04-17-2025 08:59 AM

@gpalau 

You're running macOS 15.4 (Sequoia), which is not officially listed as supported yet.

The permission errors you're encountering when running Splunk Universal Forwarder 9.4.1 on macOS 15.4 are likely due to incorrect ownership or permissions for the Splunk Forwarder directories, or the process not being run with sufficient privileges.
 

If the permissions issue persists, you can try resetting the permissions for the entire Splunk Forwarder directory:

sudo chown -R $(whoami) /Applications/SplunkForwarder
sudo chmod -R 755 /Applications/SplunkForwarder

 
MacOS Supports the below 
 
kiran_panchavat_0-1744905836153.png

 

 
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

gpalau
New Member
‎04-17-2025 08:50 AM

I went ahead and re-installed the Splunk Forwarder manually, and on the last step of the .pkg install it reads:

Click the "Splunk" icon on the Desktop to start and connect to Splunk.
To start Splunk manually, open a Terminal window and run the command: 
$ /Applications/Splunk/bin/splunk start
Documentation:
http://docs.splunk.com/Documentation/Splunk

However the installation path is /Applications/Splunk Forwarder/bin

Then you have to manually run a command line to approve the license?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...