Splunk Enterprise

Scripted Input permissions and execution troubleshooting

raynold_peterso
Path Finder

Hello all,

I think I need help on this one....

We have a standalone windows system which is our indexer, management and deployment server.   In the field, we have several flavors of devices running universal forwarders, i.e. Windows, Linux, Solaris, etc.

I am working on a directory monitor which will allow me to see what files are in a directory and report is one is missing or the like.  

To test this, I created a scripted input to gather the contents of the directory and forward it to the indexer.

 

inputs.conf

###### Scripted Input to monitor directory files
[script://./bin/dircontents.sh]
disabled = 0
interval = 60
sourcetype = Script:dircontents.sh
index = filewatch
props.conf 

[Script:dircontents.sh]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
MAX_EVENTS = 10000
TRUNCATE = 0
DATETIME_CONFIG = CURRENT
dircontents.sh

cd /u01/DeticaHome/UI/data/acquisition/waiting
ls | sort

With those config files, I deploy the app without issue, but when the script runs I get the following;

index=_internal

07-23-2020 09:30:47.841 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh" /bin/sh: /opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh: cannot execute

It appears the permissions of the script are not correct.  I checked and the deploy script,  dircontents.sh, permissions are 655 at deployment.  I changed the permissions to 755 manually and the script took off and started working, but this was a manual intervention which is not optimal.   

The Universal forwarder was installed and running as root.  

To get this right, I need 755 permissions of the script fo the scripted input. 

What have I missed?  Any insight would be great at this point.

Thanks in advance,

Rcp

Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

if I recall right you cannot use Windows DS for Linux/Unix (other than Windows) UF. Vice versa it’s ok.

You must switch your DS to Linux server to deploy all needed environments.

R. Ismo

 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
If the .sh file has 755 permissions on the DS then that should be retained on the UFs.
Are you aware of the risks of running the UF as root?
---
If this reply helps you, Karma would be appreciated.

shocko
Contributor

What mechanism does this though? Linux would not create a a file with X set. The UF though might though add that permissions afterwards I'd imagine. 

0 Karma

raynold_peterso
Path Finder

The DS is a windows system and you can not set execute permissions on windows files.  Once it gets deployed the UF gives it a 655 permission set.  How do I get around that?

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Ah. This is critical information. Running a DS on Windows is a known problem because of this very reason. Can you stand up a Linux box to run the DS on?
---
If this reply helps you, Karma would be appreciated.
0 Karma

raynold_peterso
Path Finder

I have kicked off the process and should have a AWS Linux system up soon.  I'll install splunk enterprise and configure it as my deployment server.

Thanks for all the help.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Nice to hear that. As case is solved you should accept the solution so other can see it later on when they had same issue.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if I recall right you cannot use Windows DS for Linux/Unix (other than Windows) UF. Vice versa it’s ok.

You must switch your DS to Linux server to deploy all needed environments.

R. Ismo

 

0 Karma

raynold_peterso
Path Finder

So,

LinuxDS -> WindowsUF=OK
LinuxDS->SolarisUF=OK
WindowsDS -> WindowsUF = OK
WindowsDS-> SolarisUF = BAD
WindowsDS-> LinuxUF = BAD.

Is this what I am to understand?

Well, that is rather unfortunate.  I'll start seeing what I can do to spin up a Linux system.   

Let me know if I am off base.

isoutamo
SplunkTrust
SplunkTrust

That’s correct!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...