Security

splunk starting as root user how to change this one?

kiran331
Builder

Hi

Slunk starting as root user, I used chown -R splunk;splunk /opt/splunk/ and its caousing errors when I try to restart splunk using splunk user. How to resolve this?

Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable. [FAILED]
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied

Splunk> Australian for grep.

Checking prerequisites...
Checking http port [8000]: already bound
ERROR: The http port [8000] is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]:

Tags (2)
1 Solution

beatus
Communicator

kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)

The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.

View solution in original post

beatus
Communicator

kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)

The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.

stekosan
Explorer

neat answer, thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...