Thanks for your info.

Thanks for the information.

Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?

• syslog - Great for many network devices, however doesn't usually work for Webservers/App Servers which don't write out in the syslog format on Unix
• Running as root (security implications)
• Making logs world readable (security implications)
• Add Splunk to a group which has read permissions to logs (My first choice, however there is usually a limit of 16 groups per Unix ID and sometimes an entprise may have hundreds of groups that log files are owned by)
• Unix ACLs - May be a great alternative, however how difficult are they to manage?
• Mounting logs remotely?

> Splunk recommends that you don't run as root.

I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user

Here's the source from docs:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Installation/RunSplunkasadifferentornon-rootuser

In section "Run Splunk Enterprise as a different or non-root user":

It says:

"On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible."

Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.

Thanks for the information.