cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mbw
Observer
Member since: ‎09-28-2011
‎06-18-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-28-2011
View All

Re: Which UNIX permissions are best for monitoring...

by in Getting Data In
‎11-30-2022 01:15 PM
‎11-30-2022 01:15 PM
I am a unix admin for many years and understand unix/linux permissions well What I am seeing on Splunk Server version 8.2.6 is that the splunk local file "tailing processor" was not able to read a file that was set as sysadmin:adm and 640 We have a file called "/var/log/vpn.log" that is produced and populated by rsyslog The file has permissions like this: uid=1001(splunk) gid=1001(splunk) groups=1001(splunk),4(adm) root@ika:/all/scripts# ls -la /var/log/vpn* -rw-r----- 1 syslog adm 2081292 Nov 30 12:37 /var/log/vpn.log if I do a "su - splunk" to become the splunk user, I can for sure read that vpn.log file But the tailing process still cant read it unless I set it to world (other) readable In order to get the tailing process to read the vpn.log file, I had to also add the user "splunk" to the group "sysadmin" which has read permissions on the containing directory /var/log you'd think that containing directory (/var/log) blocked permissions wouldnt let a world-readable file be accessed either, so something weird is going on Once I added splunk to the syslog group (was already in the adm group) so the directory permissions worked, then splunk tailing process could read the vpn.log file that wasnt world readable Maybe I dont understand unix permissions as well as I thought - does anyone else find this strange? ... View more

Universal Forwarder hosts - How do I replace self-...

by in Installation
‎11-30-2022 12:40 PM
‎11-30-2022 12:40 PM
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/E=support@splunk.com I dont need to encypt splunk commuications from universal forwarder to splunk server, I just want Tenable to see a signed cert on this port so it doesnt complain. Where is this file and can I replace it with my fullchain.pem from Letsencrypt that is already elsewhere on this host? thanks, Matt ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-18-2024 07:31 PM