Splunk Search

default umask for file creation on OS

chicodeme
Communicator

Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename

Any ideas besides change the root user default umask?

Tags (1)

southeringtonp
Motivator

One option would be to run Splunk as a non-root user, and set the umask on the Splunk account. You would need to make sure all log files are viewable by the Splunk account, of course.

If you do need to run Splunk as root, POSIX ACLs may be your answer. Something like the following:

# Make sure all existing files are group-owned by Splunk. Set the filesystem
# ACL to allow the Splunk group as the default for new files, and set the 
# same ACL on currently existing files.
cd /opt/splunk/etc/apps
sudo setfacl -R -b .
sudo chown -R splunk:splunk .
sudo setfacl -R -d -m g:splunk:rwx .
sudo setfacl -R -m g:splunk:rwx .

# Then repeat the above for /opt/splunk/etc/system/local or other paths as desired.

southeringtonp
Motivator

Agreed that a configurable umask setting in Splunk would be a big plus. (Time to file an ER!).

The distinction with using POSIX ACLs instead of traditional permissions is that you should only have to do it once. If you set the default ACL, I believe that it should inherit down as new files/directories are created by Splunk (Contrast that with the find/chmod approach, which you have to do over and over again as Splunk creates and modifies files in local.)

0 Karma

chicodeme
Communicator

I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...