Hi,
We installed/configured Splunk Universal forwarder 7.2.3 on hundreds of RHEL 6.10 in our environment and all of them working perfectly fine. There're few machines with selinux enabled with "permissive" mode. None of them are in "Enforcing" mode (thankfully).
Within these selinux (permissive mode) machines, only a few of them we were able to install/configure Splunk without any issues but on remaining machines we observed strange behavior.
After extracting the package, assigning ownership etc. we are able to set up the forward with sudo -H -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt and splunk starts successfully and communicates with Splunk Server but when I try to run /opt/splunkforwarder/bin/splunk enable boot-start -user splunk " as root user it simply stucks/hangs and the only way is to stop it by pressing ctrl-C or close the putty session. So basically root user is unable to run /opt/splunkforwarder/bin/splunk either for setup/start/stop, it just hangs. But both setup/start/stop work fine when we run as "splunk" user. With this behavior we are unable to run "enable boot-start" and weirdly this is happening only on few RHEL 6.10 servers with selinux permissive mode (not on all). Wondering if there's any additional security that causing this behavior of stopping root /opt/splunkforwarder/bin/splunk
I know we can do this boot-start part manually by creating a startup script in init.d which i would like to discuss later.
I appreciate any help, thanks!!
... View more