I've set up my Splunk enterprise as a non-root user and up until last week, all apps installed as non privileged user. However, all apps now install as root - and I don't want this to happen - but any ideas why this would have started in the first place? Its only happened on this install with the latest version of Splunk Enterprise - wondering if its a default perhaps? Version is 6.5.0 - has there been any issues with this distro?
Just a shot in the dark but did you check by any chance the last restart of Splunk instance happened as root user?
Funny enough, after I wrote the question I did, and yes there was a restart by root, weird though as I did the install as another user and was fine going about my business - then this - also after having a look at some of the Splunk directories, some files seemed to have changed to root owned and now doing a restart with the normal user won't work. Any ideas on why this has happened would be helpful too and how I could reverse it (as a lot of files were changed to root owned). I will have another look tomorrow on this, but i've been trialing a bunch of apps and Splunk Enterprise versions on our test range before we actually use it proper so this is a test and analysis phase. Thanks! 🙂
Yw. In such cases, as it did happen to me sometimes, I always do a
chown -R splunkUser:splunkUsergroup on the Splunk home directory just to be safe so that all files inside the Home Directory which inadvertently went root to ownership are back to the correct splunkUser ownership.