Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can one enable the universal forwarder under solaris 10 to read /var/log/authlog as user "splunk"?

cmonig
Explorer
‎09-14-2012 02:09 AM

Hi,

we want to deploy universal forwarders to solaris 10 machines.
For security reasons, we want to keep the number of applications running with root priviledges as low as possible, and would prefer to run the forwarder as the user "splunk".

We need to index the contents of the file "/var/log/authlog", which is only readable for "root":

-rw------- 1 root sys 34M Sep 14 08:42 authlog

We tried to add splunk to the group "sys", and make the file readable to the group, but this is not working as the process writing "authlog" resets the permission each time authlog is written to.

Is there a way to work around this, or is the only solution to run splunk with root priviledges?

Thanks,

Christoph

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-15-2012 05:45 AM

This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:

  1. Run Splunk as root (you've already said this is undesirable)
  2. Hack up a scripted input that can run setuid (also undesirable IMHO)
  3. See if Solaris will let you apply a POSIX ACL to the /var/log/authlog file, explicitly granting read privs to user splunk. The big trick here is whether it will be maintained over rotations and so on.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-15-2012 05:45 AM

This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:

  1. Run Splunk as root (you've already said this is undesirable)
  2. Hack up a scripted input that can run setuid (also undesirable IMHO)
  3. See if Solaris will let you apply a POSIX ACL to the /var/log/authlog file, explicitly granting read privs to user splunk. The big trick here is whether it will be maintained over rotations and so on.
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...