Security

How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

Path Finder

I find that I encountered more problems running splunk instances as the user splunk than using root. When I use splunk to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root to start Splunk instance, then everything works. So, should I be running Splunk instance with root or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

Path Finder

thanks. so what should be running on port 800? is port 800 in your example a service?

0 Karma

Splunk Employee
Splunk Employee

As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.

In cases where you want to use ports < 1024, you will need root or super user level access to do this.

0 Karma

SplunkTrust
SplunkTrust

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs

0 Karma

SplunkTrust
SplunkTrust

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800.

0 Karma