×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ewok
Explorer
Member since: ‎10-02-2023
‎07-30-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-02-2023
Topics I've Started
View All

Re: Splunk access to RHEL audit.log

by in Getting Data In
‎07-30-2025 01:53 PM
‎07-30-2025 01:53 PM
Too follow up.  Using  [Service] AmbientCapabilities=CAP_DAC_READ_SEARCH This fails under the following conditions: If you have an old `Splunkd.service` file, with a line using =!, like the following: ExecStart=!/opt/splunk/bin/splunk _internal_launch_under_systemd If so, you will need to recreate the Splunkd.service file. If you utilize the "Data inputs --> Files & directories" monitor method for ingest the /var/log/audit/audit,log files this fails. This works with a current Splunk version (mine is 9.3.5) created Splunkd.service file and using the Splunk_TA_nix script method of ingest using rlog.sh. Kuddos to @livehybrid for causing me to review and realize I had an out of date Splunkd.service file   ... View more

Splunk access to RHEL audit.log

by in Getting Data In
‎07-28-2025 08:27 PM
‎07-28-2025 08:27 PM
Running Splunk 9.3.5 on RHEL 8.  STIG hardened environment.  The non-Splunk RHEL instances running a Universal Forwarder have no issue access the audit.log files, apparently by virtue of the statement AmbientCapabilities=CAP_DAC_READ_SEARCH located in the /etc/systemd/system/SplunkForwarder.service file.  However, the same is not true on the Splunk instance.  They require read access permissions via a file ACL or something.  Where these options all result in multiple STIG compliance findings.  Which each require write ups a vendor (Splunk) dependencies.   Question - why?  Why can't Splunk access the audit.log files the same way as the UF?  Or is there some way to do the same sort of thing with AmbientCapabilities for Splunkd.Service? It is tempting to quit collecting these logs with Splunk itself and install UF on the Splunk instances too. ... View more

Re: Splunk upgrade from 7.3.3 to 8.0.6 fails with ...

by in Installation
‎10-20-2023 06:58 PM
‎10-20-2023 06:58 PM
Thank you Chris.  Do  you (or anyone else) know if this requirement is documented somewhere?  The implementation has security requirement requiring STIG compliance.  Having /tmp mounted exec (without noexec) is a finding.  So, to go with this it needs to be documented as a vendor dependency.  But I haven't found this in anything from Splunk as a requirement. ... View more

Re: Splunk upgrade from 7.3.3 to 8.0.6 fails with ...

by in Installation
‎10-02-2023 11:13 AM
‎10-02-2023 11:13 AM
Seeing this same issue doing an instance replacement with 9.0.4 or 9.0.5.  Was there ever a solution? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-30-2025 01:36 PM
Karma given to
View All