Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I prevent Introspection Generator to read information about non splunk process when hidepid activated on /proc ?

maraman_splunk
Splunk Employee
Splunk Employee
‎05-31-2017 02:14 AM

Hi,

my splunk is running as splunk user on a linux system where the admin has secured the OS by using hidepid=1 on /proc (see https://ubuntuforums.org/showthread.php?t=2173093 and https://www.kernel.org/doc/Documentation/filesystems/proc.txt)

As a consequence, splunkd.log is filled with these error messages :
ERROR IntrospectionGenerator:resource_usage - RU - Fail to readlink(2) /proc/nnnn/exe: Operation not permitted where nnnn is a pid from a process not run by splunk
This is repeated for each pid so generate a lot of noise.

I would like to tell Introspection to only look at it's own pid in that case or not produce error message for this.

Any idea how to do this ?

0 Karma
Reply

ipfyx
Engager
‎01-06-2021 07:26 AM

Hi,

you can also add the splunk group gid to the fstab ($ id splunk_user) :
proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=<splunk_gid>,hidepid=1 0 0

According to man proc :

       gid=gid (since Linux 3.3)
              Specifies the ID of a group whose members are authorized
              to learn process information otherwise prohibited by
              hidepid (i.e., users in this group behave as though /proc
              was mounted with hidepid=0).  This group should be used
              instead of approaches such as putting nonroot users into
              the sudoers(5) file.

 

Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎05-31-2017 02:24 AM

As a workaround, I completely disabled the generator for resource usage
in server.conf

[introspection:generator:resource_usage]
disabled=true

this stop the error message flood but that will also disable all related stats in the monitoring console....

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...