To maintain correct permissions how do you allow for splunk to read /var/log? I keep getting the following error
06-08-2011 16:17:16.355 -0400 WARN FilesystemChangeWatcher - error reading directory "/var/log": Permission denied
I am very reluctant to change /var/log to 640. Any help would be appreciated.
I would recommend adding the ID that splunk runs as to a group which has read permissions to those logs. Running splunk as root is usually not worth the risk/scrutiny that it will come under from most organizations.
example: the following log has read permissions for the owner root and the group root. Adding the splunk id to the group root should allow the splunk id to read a log with 640 permissions as shown below.
ls -l /var/log/messages
-rw-r----- 1 root root 2500271 Dec 15 15:03 messages
Another option would be to have the log set to world readable. ie. permissions of 644.
Ultimately, you will need to speak to the sys admin as permissions may have higher/lower security levels at different companies.
Ok for all future purposes or anyone needing to use splunk without running it as root. You will need to set acls on the /var/log directory. You only need to set read for the splunk user which will still keep you in a very secure setup as long as you keep splunk as a /sbin/nologin account also.
I downvoted this post because running any applications as root is considered a severe security risk and most organisations with any sense will laugh at this recommendation. use acls on the host or add the splunk user to a group that has read access
Could you describe the best way to present access to the splunk account to do this. I would + security would prefer if it ran as splunk. I was thinking possibly make a modification to sudoers but I am unsure if it does a cat or a tail or other to the logs.