I find that I encountered more problems running splunk instances as the user splunk
than using root
. When I use splunk
to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root
to start Splunk instance, then everything works. So, should I be running Splunk instance with root
or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.
Hi michael_lee,
this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:
/usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800
Your Sysadmin can do this for you.
Hope this helps ...
cheers, MuS
Hi michael_lee,
this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:
/usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800
Your Sysadmin can do this for you.
Hope this helps ...
cheers, MuS
thanks. so what should be running on port 800? is port 800 in your example a service?
As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.
In cases where you want to use ports < 1024, you will need root or super user level access to do this.
Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs
This is the port Splunk will open for your input and it's just an example, instead of foo
I used 800
.