I just installed Splunk forwarder 6.2 on AIX. It appears it now uses startsrc and stopsrc commands to stop and start splunk. These are privileged commands which the splunk user does not have access to so I can no longer start/stop splunk from the non-root user.
from non-root splunks user
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
execve: Permission denied
while running command /usr/bin/stopsrc
Could not kill pid 6619336.
So when I look at stopsrc as non root user
startsrc -g splunk
ksh: startsrc: 0403-006 Execute permission denied.
I have tried with and without the /etc/inittab
entry with and without the -user
tag.
Options:
/opt/splunkforwarder/bin/splunk {start,stop}
. This should start / stop Splunk without SRC's involvement.sudo
to enable you to do this one thing.I'm curious if you're actually doing #1 above already and still running into these issues.
Options:
/opt/splunkforwarder/bin/splunk {start,stop}
. This should start / stop Splunk without SRC's involvement.sudo
to enable you to do this one thing.I'm curious if you're actually doing #1 above already and still running into these issues.
The message I'm hearing regarding this issue is you can use splunk start/stop as long as boot start is not enabled. That is not a workaround.
Can this be accomplished?
Splunk support told me I need write access to /etc/inittab - is that the only way it is possible to use startsrc -s splunkd?
So, apparently, Splunk has made some changes here with respect to how boot-start works. I don't have access to any AIX systems at this point to be able to fully test.
When you enable splunk boot-start, this causes Splunk to add itself to the SRC (subsystem resource controller) as a service, and it causes it to add an entry to /etc/inittab to do a startsrc -g splunk
. From here, using the SRC commands to stop and start splunk is highly recommended.
As to whether or not your non-root user can run startsrc / stopsrc command, this is an AIX RBAC issue and / or a place for sudo. I would suggest talking to your sysadmin, and having her explain how the server's RBAC is configured and whether or not you can be given the rights to use the startsrc
and stopsrc
.
Thanks for the reply dwaddle.
Splunk docs suggest a -s to start/stop with src but neither -g or -s works for me.
I'll try engaging a sysadmin to get some answers, as RBAC is completely foreign to me.
I went back to basics. If I just leave out the entry:
/opt/splunkforwarder/bin/splunk enable boot-start
I am OK.
I have replaced it with
root:2:once:su - splunk "-c splunk start" > /dev/console 2>&1
which bring back all the happiness. Thanks for the help.