I have installed Splunk Enterprise free trial into a VM as a root user. I know the best practice is to avoid using root to run as Splunk in case the underlying OS gets compromised and then the hacker has access to your OS with root level.
I am following the doc online and it says once you install Splunk as root, don't start the Splunk installation but rather add a new user and then change ownership of the Splunk folder to that new non-root user
But before I do that, when Splunk is installed I check its ownership and it's already configured to Splunk. Does this mean Splunk has already configured a non-root user automatically upon installation?
If so, how would I make sure it has read access to local files I want to monitor?
Hi
when you are using package manager like yum or dpkg, the installation add user splunk and change ownership of files to that user.
To give access to local files you could grant access by setfacl per file or recursively by directory.
r. Ismo
If you use an installer (as opposed to expanding a tarball) then the user was created for you and all files were given to that user.
To be able to read local files, check out this document: https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/Installleastprivileged . It's written for forwarders, but may work for Splunk Enterprise, as well. If it doesn't work then you'll need to change file permissions or add user 'splunk' to a group that has read access to the file(s).