after upgrading forwarder to 7.2.6 it's not getting controlled by Splunk user(specifically aligned to Splunk only (non-root user)) while restarting service.
We upgrade Splunk UF to 7.2.6 from 6.x.x , everything is working as expected but while stop\start splunk service it's asking for authentication (mentioned below). And this message coming only once we enable boot start for Splunk user so that It can auto start after reboot. If we disable boot start then I am not getting these messages.
[user@servername ~]$ /usr/splunk/splunkforwarder/bin/splunk restart Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Multiple identities can be used for authentication:
And you will get multiple user identities here after this above line, these are the user who's ID is synced with root user. And if I ask them to do they are able to restart Splunk but they have to choose their username and password , so to add splunk user here in identities list what we need to do. Is there a way to get rid of this.
Splunk UF version - 7.2.6 OS version - Red Hat Enterprise Linux Server release 7.6 (Maipo)
Do we need to tweak splunk configuration or make any entries in sudoer files on OS side.
Summary of the issue:
Splunk 6.0.0 - Splunk 7.2.1 defaults to using init.d when enabling boot start
Splunk 7.2.2 - Splunk 7.2.9 defaults to using systemd when enabling boot start
Splunk 7.3.0 - Splunk 8.x defaults to using init.d when enabling boot start
systemd defaults to prompting for root credentials upon stop/start/restart of Splunk
Here is a simple fix if you have encountered this issue and prefer to use the traditional init.d scripts vs systemd.
Splunk Enterprise/Heavy Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunk/bin/splunk disable boot-start sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0
Splunk Universal Forwarder example (note: replace the splunk user below with the account you run splunk as):
sudo /opt/splunkforwarder/bin/splunk disable boot-start sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk -systemd-managed 0
sudoers will not resolve this problem, refer to FrankVI's comments around the systemd usage in Splunk 7.2
If you choose to stay with systemd in the particular Splunk 7.2 version or above refer to:
That will provide a solution to remove the password prompt, if not feel free to use init.d if that is preferred!
This is due to Splunk using systemd to manage the Splunk process by default in certain 7.2.x versions. If you want to get rid of this, you can enable boot start with the old method by adding
-systemd-managed 0 https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice#Additional_optio...
This is due to systemd changes introduced by Splunk in 7.2.2, have a look at answers post https://answers.splunk.com/answers/738877/splunk-systemd-unit-file-in-versions-722-and-newer.html which explains this behavior and solution.
we enabled it using command : /usr/splunk/splunkforwarder/bin/splunk enable boot-start -user
and it's making entries under /etc/init.d/splunk in linux boxes, but when we upgraded it to 7.2.6 we lost control on stop\start service , so as per above document do we need to use systemd to control splunk.
My questions is same thing working in splunk UF version lowes version 6.x.x but not on 7.2.6.
I would say just try same to install in your test env. once for same scenario.