So here is the issue. We set up an account in Linux that can access these files when you are logged on to the box as Splunk. Permissions are correct. But when the Splunk Universal forwarder tries to access them it gets permission denied.
01-25-2017 14:17:55.326 +0000 WARN FilesystemChangeWatcher - error reading directory "/user_projects/domains/pgcprd/servers/pgc-01": Permission denied
I have found a work currently the Splunk account has
but if i change it to
it works fine.
Is there an issue with Splunk being a member of more than one group?
... View more