Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is splunk forwarder by default running with build user?

gcd24967
Explorer
‎06-07-2023 12:07 AM

Hi All,
I am new to splunk.
While starting splunk for the 1st time , it is starting with "build" user even though $SPLUNK_HOME has root ownership.


 

 

ps -ef| grep splunk

build     736222       1  0 06:42 ?        00:00:06 splunkd -p 8089 restart
build     736226  736222  0 06:42 ?        00:00:00 [splunkd pid=736222] splunkd -p 8089 restart [process-runner]

 

 


I want to run it with root user.... 
How to fix this issue??

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 12:12 AM

Hi @gcd24967,

please read this: https://docs.splunk.com/Documentation/Splunk/9.0.5/Installation/RunSplunkasadifferentornon-rootuser

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcd24967
Explorer
‎06-07-2023 12:14 AM 
drwxrwxrwx. 10 root root 4096 Jun  7 06:42 /u01/app/splunkforwarder/


SPLUNK_HOME has root ownership only...

still splunk is starting with build user

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 02:17 AM

Hi

you should read this https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Installleastprivileged

The best practices is never run splunk (not UF or enterprise) as a root. Newer use directories where anyone can write or even read if/when you have some valuable data on those.

Another good document is https://docs.splunk.com/Documentation/Splunk/latest/Security/Hardeningstandards

r. Ismo

Reply
Solved! Jump to solution

gcd24967
Explorer
‎06-07-2023 02:37 AM

Thanks for the information @isoutamo 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 12:45 AM

Hi @gcd24967 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 12:25 AM

Hi @gcd24967,

you have to change owner to all the folder and start the process as splunk user as described in the above documentation.

ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...