Splunk Enterprise

Scripted Input permissions and execution troubleshooting

Path Finder

Hello all,

I think I need help on this one....

We have a standalone windows system which is our indexer, management and deployment server.   In the field, we have several flavors of devices running universal forwarders, i.e. Windows, Linux, Solaris, etc.

I am working on a directory monitor which will allow me to see what files are in a directory and report is one is missing or the like.  

To test this, I created a scripted input to gather the contents of the directory and forward it to the indexer.

 

inputs.conf

###### Scripted Input to monitor directory files
[script://./bin/dircontents.sh]
disabled = 0
interval = 60
sourcetype = Script:dircontents.sh
index = filewatch
props.conf 

[Script:dircontents.sh]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
MAX_EVENTS = 10000
TRUNCATE = 0
DATETIME_CONFIG = CURRENT
dircontents.sh

cd /u01/DeticaHome/UI/data/acquisition/waiting
ls | sort

With those config files, I deploy the app without issue, but when the script runs I get the following;

index=_internal

07-23-2020 09:30:47.841 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh" /bin/sh: /opt/splunkforwarder/etc/apps/_server_app_Detica-File-Processing-Mon/bin/dircontents.sh: cannot execute

It appears the permissions of the script are not correct.  I checked and the deploy script,  dircontents.sh, permissions are 655 at deployment.  I changed the permissions to 755 manually and the script took off and started working, but this was a manual intervention which is not optimal.   

The Universal forwarder was installed and running as root.  

To get this right, I need 755 permissions of the script fo the scripted input. 

What have I missed?  Any insight would be great at this point.

Thanks in advance,

Rcp

Tags (1)
0 Karma
1 Solution

Champion

Hi

if I recall right you cannot use Windows DS for Linux/Unix (other than Windows) UF. Vice versa it’s ok.

You must switch your DS to Linux server to deploy all needed environments.

R. Ismo

 

View solution in original post

0 Karma

SplunkTrust
SplunkTrust
If the .sh file has 755 permissions on the DS then that should be retained on the UFs.
Are you aware of the risks of running the UF as root?
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

The DS is a windows system and you can not set execute permissions on windows files.  Once it gets deployed the UF gives it a 655 permission set.  How do I get around that?

0 Karma

SplunkTrust
SplunkTrust
Ah. This is critical information. Running a DS on Windows is a known problem because of this very reason. Can you stand up a Linux box to run the DS on?
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

I have kicked off the process and should have a AWS Linux system up soon.  I'll install splunk enterprise and configure it as my deployment server.

Thanks for all the help.

 

0 Karma

Champion
Nice to hear that. As case is solved you should accept the solution so other can see it later on when they had same issue.
0 Karma

Champion

Hi

if I recall right you cannot use Windows DS for Linux/Unix (other than Windows) UF. Vice versa it’s ok.

You must switch your DS to Linux server to deploy all needed environments.

R. Ismo

 

View solution in original post

0 Karma

Path Finder

So,

LinuxDS -> WindowsUF=OK
LinuxDS->SolarisUF=OK
WindowsDS -> WindowsUF = OK
WindowsDS-> SolarisUF = BAD
WindowsDS-> LinuxUF = BAD.

Is this what I am to understand?

Well, that is rather unfortunate.  I'll start seeing what I can do to spin up a Linux system.   

Let me know if I am off base.

0 Karma

Champion

That’s correct!

0 Karma