Security

splunk - permission issue - read new log with -rw------- in a directory with drwxr-xr-x permission

season88481
Contributor

Hi everyone,

Currently I am trying to train splunk to monitor some logs in a directory.

1.The permission on the directory is drwxr-xr-x,
2. and the logs inside the directory is -rw-------
3. So I do chmod +r // -R. After the change, file permission become -rw-r--r--, and splunk can read these log files without problem.
4. However, each time the application generates new logs file, new log files will be written as -rw------- again.

So how can we get splunk to monitor these log files? Or do we have to add the read permission on the entire directory permanently? So that all new log files generated will automatically inherit the "-rw-r--r--" permission.

Thanks.

0 Karma
1 Solution

season88481
Contributor

Hi guys,

I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:

setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.

The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

View solution in original post

0 Karma

season88481
Contributor

Hi guys,

I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:

setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.

The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

0 Karma

lguinn2
Legend

You need a permanent fix that will allow Splunk to read the files within the directory. Splunk cannot bypass the operating system security.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...