Per the instructions found here in the splunkbase and here, I tried to use the 'setcap' command. I can't quite get it to work. Modifying /opt/splunk/bin/splunk does not allow splunk to bind to the admin ports. Trying to setcap /opt/splunk/bin/python2.6 causes python to loose access to the local python modules.
Is there a documented way to use Linux Capabilities to allow a non-root Splunk system to listen on 443 and 514?
first test of setcap, noting changed but permissions of bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
unable to set CAP_SETFCAP effective capability: Operation not permitted
cps@sea-splunk01:/opt/splunk/bin$ sudo !!
sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation
The Splunk web interface is at http://sea-splunk01:8000
ok, this all works, so I'm going to try modifiying to use port 443 and restart
cps@sea-splunk01:/opt/splunk/etc$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.
Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Error starting splunkweb.
Hmmm, it saw that 443 was open, but couldn't bind it. Rats. Change back to 8443 for now, and restart.
Let's try modifying bin/python2.6, and see what happens
cps@sea-splunk01:/opt/splunk/bin$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/python2.6
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
Splunk> 4TW
Checking prerequisites...
Checking http port [8443]: open
Checking mgmt port [8089]: open
Traceback (most recent call last):
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli.py", line 17, in <module>
import splunk.clilib.cli_common as comm
File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli_common.py", line 6, in <module>
import lxml.etree as etree
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
... View more