Hi,
we want to deploy universal forwarders to solaris 10 machines.
For security reasons, we want to keep the number of applications running with root priviledges as low as possible, and would prefer to run the forwarder as the user "splunk".
We need to index the contents of the file "/var/log/authlog", which is only readable for "root":
-rw------- 1 root sys 34M Sep 14 08:42 authlog
We tried to add splunk to the group "sys", and make the file readable to the group, but this is not working as the process writing "authlog" resets the permission each time authlog is written to.
Is there a way to work around this, or is the only solution to run splunk with root priviledges?
Thanks,
Christoph
This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:
/var/log/authlog
file, explicitly granting read privs to user splunk
. The big trick here is whether it will be maintained over rotations and so on.This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:
/var/log/authlog
file, explicitly granting read privs to user splunk
. The big trick here is whether it will be maintained over rotations and so on.