Splunk Installation running as non-root user (Debi...

IAskALotOfQs · ‎12-04-2023

I have installed Splunk Enterprise free trial into a VM as a root user. I know the best practice is to avoid using root to run as Splunk in case the underlying OS gets compromised and then the hacker has access to your OS with root level.

I am following the doc online and it says once you install Splunk as root, don't start the Splunk installation but rather add a new user and then change ownership of the Splunk folder to that new non-root user

But before I do that, when Splunk is installed I check its ownership and it's already configured to Splunk. Does this mean Splunk has already configured a non-root user automatically upon installation?

If so, how would I make sure it has read access to local files I want to monitor?

isoutamo · ‎12-04-2023

Hi

when you are using package manager like yum or dpkg, the installation add user splunk and change ownership of files to that user.

To give access to local files you could grant access by setfacl per file or recursively by directory.

r. Ismo

richgalloway · ‎12-04-2023

If you use an installer (as opposed to expanding a tarball) then the user was created for you and all files were given to that user.

To be able to read local files, check out this document: https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/Installleastprivileged . It's written for forwarders, but may work for Splunk Enterprise, as well. If it doesn't work then you'll need to change file permissions or add user 'splunk' to a group that has read access to the file(s).

---
If this reply helps you, Karma would be appreciated.

Splunk Installation running as non-root user (Debian package)

installation

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!