I have deployment server and all Splunk instances running under owner A and access group B in linux envirement.
But one of the Splunk universal forwarder which have same access group B do not have permissions to read files that are to be ingested.
The files have owner X and access group Y. But we have a limitation to add owner A or access group B to group Y at our organisation to give Splunk UF access to ingest files. so we thought to install Splunk UF under owner X and access group Y so that it has permissions to read files.
But what are the issues that arise from Splunk UF running under owner X , access group Y and the other splunk instances (deployment server, indexers ,S.H) running under owner A and access group B. Can I proceed with different owner and access group for splunk UF?.
It's always a bit tricky to implement the access code uniformly across the enterprise, but at the end of the day, all that you need is read access to these files. The system's integrity is not influenced by the fact that the access on certain hosts is implemented a bit differently. Obviously, it's nicer to have a uniform solution, but I wouldn't worry about it too much. We face similar challenges here as well ; - )