Security

How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

michael_lee
Path Finder

I find that I encountered more problems running splunk instances as the user splunk than using root. When I use splunk to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root to start Splunk instance, then everything works. So, should I be running Splunk instance with root or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.

Tags (3)
0 Karma
1 Solution

MuS
Legend

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

michael_lee
Path Finder

thanks. so what should be running on port 800? is port 800 in your example a service?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.

In cases where you want to use ports < 1024, you will need root or super user level access to do this.

0 Karma

MuS
Legend

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs

0 Karma

MuS
Legend

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...