Splunk Dev

Run Splunk under splunk user instead of root

vin02
Path Finder

Currently my environment using splunk as root user, I want to Run Splunk under splunk user instead of root and run splunk web on 8443.
What is the procedure to implement the same and what will be the impact?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

You probably want to set your SPLUNK_OS_USER in the /opt/splunk/etc/splunk-launch.conf file:
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER

SPLUNK_OS_USER=splunk

First you will need to re-own the files back to the splunk user in your installation directory.

The limitations would be:
ulimits may be set differently for the splunk user (this can of course be changed for the splunk user)
You cannot listen on a privileged port number below 1024

I've never found either of these items to be an issue, if you need a syslog listener on port 514 for example you can run that as a separate process which runs as root...

View solution in original post

gjanders
SplunkTrust
SplunkTrust

You probably want to set your SPLUNK_OS_USER in the /opt/splunk/etc/splunk-launch.conf file:
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER

SPLUNK_OS_USER=splunk

First you will need to re-own the files back to the splunk user in your installation directory.

The limitations would be:
ulimits may be set differently for the splunk user (this can of course be changed for the splunk user)
You cannot listen on a privileged port number below 1024

I've never found either of these items to be an issue, if you need a syslog listener on port 514 for example you can run that as a separate process which runs as root...

vin02
Path Finder

How to use iptables prerouting to forward request coming on port 443 to port 8443?

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...