Solved: owner of props.conf ?

martinh3 · ‎06-15-2015

I'm fairly new to Splunk, but I use it both at home (on openSUSE linux) and at work (redhat linux).
At home, most of the installed files are owned by "splunk".
At work, we're working with a fairly new install, and I noticed that the .conf files on the Splunk Enterprise are owned by root, and read/writable only for root : ( -rw------- ) .
Can anyone think of a possible configuration where this would be advisable?

MuS · ‎06-15-2015

Hi martinh3,

there are two answers related to this topic:
http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html
http://answers.splunk.com/answers/186821/is-there-any-reason-not-to-run-splunk-as-root.html

To sum them up, it is not advised to run Splunk as root - run it with the splunk user account.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎06-15-2015

Hi martinh3,

there are two answers related to this topic:
http://answers.splunk.com/answers/145385/should-we-run-splunk-as-root-or-non-root-user.html
http://answers.splunk.com/answers/186821/is-there-any-reason-not-to-run-splunk-as-root.html

To sum them up, it is not advised to run Splunk as root - run it with the splunk user account.

Hope this helps ...

cheers, MuS

owner of props.conf ?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!