Security

splunk starting as root user how to change this one?

kiran331
Builder

Hi

Slunk starting as root user, I used chown -R splunk;splunk /opt/splunk/ and its caousing errors when I try to restart splunk using splunk user. How to resolve this?

Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable. [FAILED]
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied

Splunk> Australian for grep.

Checking prerequisites...
Checking http port [8000]: already bound
ERROR: The http port [8000] is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]:

Tags (2)
1 Solution

beatus
Communicator

kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)

The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.

View solution in original post

beatus
Communicator

kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)

The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.

stekosan
Explorer

neat answer, thank you

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...