Security
Highlighted

splunk starting as root user how to change this one?

Builder

Hi

Slunk starting as root user, I used chown -R splunk;splunk /opt/splunk/ and its caousing errors when I try to restart splunk using splunk user. How to resolve this?

Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable. [FAILED]
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied

Splunk> Australian for grep.

Checking prerequisites...
Checking http port [8000]: already bound
ERROR: The http port [8000] is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]:

Tags (2)
Highlighted

Re: splunk starting as root user how to change this one?

SplunkTrust
SplunkTrust

kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)

The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.

View solution in original post

Highlighted

Re: splunk starting as root user how to change this one?

Explorer

neat answer, thank you

0 Karma