Permissions on /var/log

rmcook84 · ‎06-08-2011

To maintain correct permissions how do you allow for splunk to read /var/log? I keep getting the following error
06-08-2011 16:17:16.355 -0400 WARN FilesystemChangeWatcher - error reading directory "/var/log": Permission denied

I am very reluctant to change /var/log to 640. Any help would be appreciated.

jawaharas · ‎04-30-2019

Use ACL command to grant permission to 'splunk' user only.

sudo setfacl -R -m u:splunk:r-x /var/log

bandit · ‎12-22-2015

I would recommend adding the ID that splunk runs as to a group which has read permissions to those logs. Running splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.

example: the following log has read permissions for the owner root and the group root. Adding the splunk id to the group root should allow the splunk id to read a log with 640 permissions as shown below.
ls -l /var/log/messages
-rw-r----- 1 root root 2500271 Dec 15 15:03 messages

Another option would be to have the log set to world readable. ie. permissions of 644.

Ultimately, you will need to speak to the sys admin as permissions may have higher/lower security levels at different companies.

rmcook84 · ‎06-08-2011

Ok for all future purposes or anyone needing to use splunk without running it as root. You will need to set acls on the /var/log directory. You only need to set read for the splunk user which will still keep you in a very secure setup as long as you keep splunk as a /sbin/nologin account also.

tfpblanchard · ‎06-27-2014

See also http://answers.splunk.com/answers/60388/recommended-permissions-on-varlog-for-splunk_ta_nix

tfpblanchard · ‎06-27-2014

See also http://answers.splunk.com/answers/60388/recommended-permissions-on-varlog-for-splunk_ta_nix

mw · ‎06-08-2011

You need to run splunk as the root user in order to read files that only root has access to, as well as to listen on privileged network ports.

bandit · ‎11-20-2019

For privileged ports, I prefer either a reverse proxy server or an iptables redirect https://www.cyberciti.biz/faq/linux-port-redirection-with-iptables

quixand · ‎05-24-2016

I downvoted this post because running any applications as root is considered a severe security risk and most organisations with any sense will laugh at this recommendation. use acls on the host or add the splunk user to a group that has read access

mw · ‎06-08-2011

I don't know of any way to use sudo to only provide read permissions to the splunk process. You could add the splunk user to various groups that have read permission of the files.

rmcook84 · ‎06-08-2011

Could you describe the best way to present access to the splunk account to do this. I would + security would prefer if it ran as splunk. I was thinking possibly make a modification to sudoers but I am unsure if it does a cat or a tail or other to the logs.

rmcook84 · ‎06-08-2011

This is on rhel 5.6

quixand · ‎06-01-2016

see: https://answers.splunk.com/answers/4253/how-to-monitor-root-owned-logs-while-running-splunk-as-a-non...

Permissions on /var/log

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience