The ability to have a *nix UF run under a non-root user but still be able to have it read files was introduced with v9.0.0 of the UF (https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/Installleastprivileged)
Is there a way that I, as a Splunk admin, could see which (if any) POSIX capabilities (CAP_DAC_READ_SEARCH - and potentially also CAP_NET_ADMIN and CAP_NET_RAW) the various forwarders are running under/with? I've had a look at index=_internal to see if the UF generates anything during start-up but I haven't found anything.