Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- default umask for file creation on OS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
default umask for file creation on OS
Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename
Any ideas besides change the root user default umask?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One option would be to run Splunk as a non-root user, and set the umask on the Splunk account. You would need to make sure all log files are viewable by the Splunk account, of course.
If you do need to run Splunk as root, POSIX ACLs may be your answer. Something like the following:
# Make sure all existing files are group-owned by Splunk. Set the filesystem
# ACL to allow the Splunk group as the default for new files, and set the
# same ACL on currently existing files.
cd /opt/splunk/etc/apps
sudo setfacl -R -b .
sudo chown -R splunk:splunk .
sudo setfacl -R -d -m g:splunk:rwx .
sudo setfacl -R -m g:splunk:rwx .
# Then repeat the above for /opt/splunk/etc/system/local or other paths as desired.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed that a configurable umask setting in Splunk would be a big plus. (Time to file an ER!).
The distinction with using POSIX ACLs instead of traditional permissions is that you should only have to do it once. If you set the default ACL, I believe that it should inherit down as new files/directories are created by Splunk (Contrast that with the find/chmod approach, which you have to do over and over again as Splunk creates and modifies files in local.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
