Installation

Why is splunk forwarder by default running with build user?

gcd24967
Explorer

Hi All,
I am new to splunk.
While starting splunk for the 1st time , it is starting with "build" user even though $SPLUNK_HOME has root ownership.


 

 

ps -ef| grep splunk

build     736222       1  0 06:42 ?        00:00:06 splunkd -p 8089 restart
build     736226  736222  0 06:42 ?        00:00:00 [splunkd pid=736222] splunkd -p 8089 restart [process-runner]

 

 


I want to run it with root user.... 
How to fix this issue??

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust
0 Karma

gcd24967
Explorer
drwxrwxrwx. 10 root root 4096 Jun  7 06:42 /u01/app/splunkforwarder/


SPLUNK_HOME has root ownership only...

still splunk is starting with build user

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you should read this https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Installleastprivileged

The best practices is never run splunk (not UF or enterprise) as a root. Newer use directories where anyone can write or even read if/when you have some valuable data on those.

Another good document is https://docs.splunk.com/Documentation/Splunk/latest/Security/Hardeningstandards

r. Ismo

gcd24967
Explorer

Thanks for the information @isoutamo 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gcd24967 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

gcusello
SplunkTrust
SplunkTrust

Hi @gcd24967,

you have to change owner to all the folder and start the process as splunk user as described in the above documentation.

ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...