Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

michael_lee
Path Finder
‎01-20-2016 05:13 PM

I find that I encountered more problems running splunk instances as the user splunk than using root. When I use splunk to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root to start Splunk instance, then everything works. So, should I be running Splunk instance with root or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎01-20-2016 06:15 PM

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎01-20-2016 06:15 PM

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

michael_lee
Path Finder
‎01-20-2016 06:33 PM

thanks. so what should be running on port 800? is port 800 in your example a service?

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎01-20-2016 08:26 PM

As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.

In cases where you want to use ports < 1024, you will need root or super user level access to do this.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-21-2016 04:11 PM

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-20-2016 06:37 PM

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...