Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk - permission issue - read new log with -rw------- in a directory with drwxr-xr-x permission

season88481
Contributor
‎02-08-2017 07:35 PM

Hi everyone,

Currently I am trying to train splunk to monitor some logs in a directory.

1.The permission on the directory is drwxr-xr-x,
2. and the logs inside the directory is -rw-------
3. So I do chmod +r // -R. After the change, file permission become -rw-r--r--, and splunk can read these log files without problem.
4. However, each time the application generates new logs file, new log files will be written as -rw------- again.

So how can we get splunk to monitor these log files? Or do we have to add the read permission on the entire directory permanently? So that all new log files generated will automatically inherit the "-rw-r--r--" permission.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

season88481
Contributor
‎02-14-2017 05:02 PM

Hi guys,

I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:

setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.

The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

season88481
Contributor
‎02-14-2017 05:02 PM

Hi guys,

I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:

setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.

The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-08-2017 09:46 PM

You need a permanent fix that will allow Splunk to read the files within the directory. Splunk cannot bypass the operating system security.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...