I am a unix admin for many years and understand unix/linux permissions well What I am seeing on Splunk Server version 8.2.6 is that the splunk local file "tailing processor" was not able to read a file that was set as sysadmin:adm and 640 We have a file called "/var/log/vpn.log" that is produced and populated by rsyslog The file has permissions like this: uid=1001(splunk) gid=1001(splunk) groups=1001(splunk),4(adm) root@ika:/all/scripts# ls -la /var/log/vpn* -rw-r----- 1 syslog adm 2081292 Nov 30 12:37 /var/log/vpn.log if I do a "su - splunk" to become the splunk user, I can for sure read that vpn.log file But the tailing process still cant read it unless I set it to world (other) readable In order to get the tailing process to read the vpn.log file, I had to also add the user "splunk" to the group "sysadmin" which has read permissions on the containing directory /var/log you'd think that containing directory (/var/log) blocked permissions wouldnt let a world-readable file be accessed either, so something weird is going on Once I added splunk to the syslog group (was already in the adm group) so the directory permissions worked, then splunk tailing process could read the vpn.log file that wasnt world readable Maybe I dont understand unix permissions as well as I thought - does anyone else find this strange?
... View more
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/Eemail@example.com I dont need to encypt splunk commuications from universal forwarder to splunk server, I just want Tenable to see a signed cert on this port so it doesnt complain. Where is this file and can I replace it with my fullchain.pem from Letsencrypt that is already elsewhere on this host? thanks, Matt
... View more