Monitoring Splunk

How to determine which (if any) POSIX capabilities a UF is running under/with?


The ability to have a *nix UF run under a non-root user but still be able to have it read files was introduced with v9.0.0 of the UF (

Is there a way that I, as a Splunk admin, could see which (if any) POSIX capabilities (CAP_DAC_READ_SEARCH - and potentially also CAP_NET_ADMIN and CAP_NET_RAW) the various forwarders are running under/with?  I've had a look at index=_internal to see if the UF generates anything during start-up but I haven't found anything.


Labels (2)
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...