Solved: how to give splunk user in Linux UF to read /var/l...

radam2000 · ‎03-05-2021

redhat 7

created a splunk user in linux - added user to wheel group and sudoers

Installed splunk UF for linux 7.3.7.1
all files chown splunk:splunk

configured splunk to runas splunk user
all successfull - ps shows splunk pids as splunk user even if started from root...

as splunk user
go to var/log/

-rw-r--r--. 1 root root 57814 Mar 5 11:17 tftpd.log
-rw-------. 1 root root 1810830 Mar 5 12:00 kern.log
-rw-------. 1 root root 1534866879 Mar 5 13:54 user.log
-rw-r--r--. 1 root root 411594197 Mar 5 15:45 mrtg.log
-rw-------. 1 root root 161108311 Mar 5 15:46 cron.log
-rw-------. 1 root root 38312402 Mar 5 15:46 secure.log
-rw-------. 1 root root 249091058 Mar 5 15:46 daemon.log
-rw-------. 1 root root 1578879854 Mar 5 15:47 messages.log

as splunk user I can't tail -10 messages.log or secure.log - permission denied
if i sudo tail -10 then i can read these files and displayed...
setup Splunk_TA_nix and local/inputs.conf - monitor for secure.log and messages.log - get splunk UF error in splunkd.log - permission denied...

What do I need to do to make this work properly as splunk user...
can't add sudo to inputs.conf monitor command... so splunk user needs read rights to these files in /var/log for TA_nix to work properly

Suggestions welcome please.... thanks in advance... Rich

richgalloway · ‎03-05-2021

Use the setfacl command to give splunk user access to the monitored files.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-05-2021

Use the setfacl command to give splunk user access to the monitored files.

---
If this reply helps you, Karma would be appreciated.

how to give splunk user in Linux UF to read /var/log/messages.log - permission denied

configuration

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life