Couple of facts:
A few questions:
1. If I want it to be installed in
/opt, what permissions do I set on the
/opt directory w/o opening it up completely or making it owned by Splunk? Is there a better place to install this?
2. Can I use a service account that is in LDAP/AD to start Splunk? Would it work with:
/opt/splunk/bin/splunk enable boot-start -user splunk
Any suggestions on this is most welcome! Thank you in advance.
We install Splunk on Solaris and AIX to run as user splunk, on Linux we run it as user root, this mainly as we have to logfiles protected on Linux so the forwarder would not be able to rad them. On Solaris wee start the splunk daemon with the privileges 'basic,file_dac_read,file_dac_search,net_privaddr' to allow it to rad all the log files, on AIX we grant it access via group permission.
This works all fine. In case you don't give it write access to /op/splunkforwarder, the you certainly have to make sure it can write to at least $SPLUNK_HOME/var, and $SPLUNK_HOME/etc, there might be even more issues.
Fritz - Thank you for taking the time to respond. It seems that you are more affected on the forward servers?!??! I am talking about running splunk exterprise server as splunk user. Does this change your comments or advice?
All except one of our Splunk servers run under an userid splunk on Linux, for security reasons and to make the operations simpler. The team managing Splunk has no root access on this servers, but some sudo rules to become user splunk and control the service.
We changed the group of the local logfils we want to read to splunk and made them group readable.
For the indexer we have an apache webserver configured as proxy in front of Splunk as splunkweb can not bind to a low port if it is not running as root.
In the beginning Splunk has been stared a few times manually as root by issuing /opt/splunk/bin/splunk start. This changes the permission on the files Splunk writes and you can't start it as user Splunk afterwards. A chown splunk:splung -R /opt/splunk solves this.