Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk User Getting Permission Denied In Linux

OgoSplunk
Path Finder
‎12-12-2022 07:15 AM

Hi,

I heard that it's frowned upon to run Splunk on the root so I created a Splunk User. I can't figure out why I can't run Splunk start, stop, and status without getting permission denied. I've changed the ownership to for /opt/splunk to the user "Splunk" that I've created because I was told it was bad to run Splunk as root.  When working in my "Splunk" user account I continuously get this error whenever trying to config enable boot-start splunk.

oot@cluster-master:/opt# ./splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk

Warning: cannot create "/opt/splunk/var/log/splunk"

Warning: cannot create "/opt/splunk/var/log/introspection"

Warning: cannot create "/opt/splunk/var/log/watchdog"
Systemd unit file installed at /etc/systemd/system/Splunkd.service.
Configured as systemd managed service.
root@cluster-master:/opt# su splunk
splunk@cluster-master:/opt$ ./splunk/bin/splunk status

Warning: cannot create "/opt/splunk/var/log/splunk"

Warning: cannot create "/opt/splunk/var/log/introspection"

Warning: cannot create "/opt/splunk/var/log/watchdog"
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable.
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunk@cluster-master:/opt$

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2022 08:07 AM

The enable boot-start command must be run as root because it modifies system files. You either can switch to the root user to run the command or use sudo. See https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2022 08:07 AM

The enable boot-start command must be run as root because it modifies system files. You either can switch to the root user to run the command or use sudo. See https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/ConfigureSplunktostartatboottime#Enable_boo...

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

OgoSplunk
Path Finder
‎12-12-2022 08:23 AM

@richgalloway Step 6 wants me to edit a file using nano or any text editor but I don't see the file there /splunk/etc/init.d/splunk could you help me out with this last part? 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2022 08:32 AM

That file is created in Step 3, but only on systems not running systemd.  However, given the output in the OP, I believe you should be following the steps in the "Enable boot-start on machines that run systemd" section.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

OgoSplunk
Path Finder
‎12-12-2022 08:43 AM

@richgalloway you're the GOAT( GREATEST OF ALL TIME). I'll pass on the Karma now 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top