The Splunk indexer and forwarders in my environment are configured to run as the "splunk" user for security reasons. Of course, this means that Splunk can no longer read root owned log files. The first two thoughts to cross my mind were to either use filesystem ACLs to provide read access to the splunk user or employ the use of a dedicated usergroup.
I'm just curious to see what people in this type of environment are doing to get around this issue? Have you run into any specific issues one way or the other?
... View more