- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: Installing and running splunk as splunk user w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installing and running splunk as splunk user when user is in AD/LDAP
Couple of facts:
- I am installing Splunk from the source (*.tgz file).
- Our Splunk account is part of AD/LDAP
A few questions:
1. If I want it to be installed in /opt, what permissions do I set on the /opt directory w/o opening it up completely or making it owned by Splunk? Is there a better place to install this?
2. Can I use a service account that is in LDAP/AD to start Splunk? Would it work with:
/opt/splunk/bin/splunk enable boot-start -user splunk
Any suggestions on this is most welcome! Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We install Splunk on Solaris and AIX to run as user splunk, on Linux we run it as user root, this mainly as we have to logfiles protected on Linux so the forwarder would not be able to rad them. On Solaris wee start the splunk daemon with the privileges 'basic,file_dac_read,file_dac_search,net_privaddr' to allow it to rad all the log files, on AIX we grant it access via group permission.
This works all fine. In case you don't give it write access to /op/splunkforwarder, the you certainly have to make sure it can write to at least $SPLUNK_HOME/var, and $SPLUNK_HOME/etc, there might be even more issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fritz - Thank you for taking the time to respond. It seems that you are more affected on the forward servers?!??! I am talking about running splunk exterprise server as splunk user. Does this change your comments or advice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All except one of our Splunk servers run under an userid splunk on Linux, for security reasons and to make the operations simpler. The team managing Splunk has no root access on this servers, but some sudo rules to become user splunk and control the service.
We changed the group of the local logfils we want to read to splunk and made them group readable.
For the indexer we have an apache webserver configured as proxy in front of Splunk as splunkweb can not bind to a low port if it is not running as root.
In the beginning Splunk has been stared a few times manually as root by issuing /opt/splunk/bin/splunk start. This changes the permission on the files Splunk writes and you can't start it as user Splunk afterwards. A chown splunk:splung -R /opt/splunk solves this.
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
Modern way of developing distributed application using OTel
