×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dpollardcouk
Engager
Member since: ‎06-15-2019
a week ago
Community Statistics
Posts 2
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎06-15-2019
Activity Feed
Topics I've Started
View All

SELinux RHEL9 and Splunk

by in Splunk Enterprise
a week ago
a week ago
Go to the Splunk pages and pretty much it comes to the conclusion that you have to run SELinux in permissive mode. There are some githubs and evidence of people previously managing to run back at Splunk Enterprise 6 & 7 in enforcing mode, but this seems to have died off at Splunk 8.  There is one example of someone attempting 9.2.2Problem - CIS Level 2 Hardening, requires   SELinux to be set to Enforcing All processes to be running with Context (and Splunk do not tag/name provide context to the install) There are 30,000 files/names/processes to be manually added for Splunk Enterprise aloneSplunk TA's and Enterprise security are on top of this You cant add more wildcarded / open the context's wider without making overly permissive.   In environments that are regulated and it is mandatory requirement to have CIS Benchmark Level 2 Hardening enable AND have a security monitoring service in place (ie Splunk as a SIEM),  other than having people continuiously monitoring auditd logs and adding contexts 24/7 - what other solutions have people found. Other than thousands of exceptions and paying someone 24/7 to just manage SELinux,  how can Splunk Enterprise work with SELinux enforcing ?  ... View more
Labels

Re: KVStore does not start when running Splunk 9.4

by in Deployment Architecture
‎07-04-2025 05:23 AM
‎07-04-2025 05:23 AM
Which if your indexers are using a different partition for their storage, could be anywhere.    I found that I was missing the link too,    put note that I've put the link in at kvstore level rather than the mongo  ln -s /splunkdata/kvstore /opt/splunk/var/lib/splunk/kvstore   Where /splunkdata/ is my mounted data drive where all my indexes go. ... View more
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma given to