I've seen the same thing as both Lowell and johntobin. We recently upgraded from 6.0.2 to 6.1.3, and wound up with a number of files I had to chown to the splunk user.
Additionally, we have run into a permissions issue when it starts up:
WARN FilesystemChangeWatcher - error reading directory "/path/to/syslogs": Permission denied
The splunk user is part of a group which has read only access to these files. Unfortunately, with the new init script setup and the SPLUNK_OS_USER (which is set properly in /opt/splunkforwarder/etc/splunk-launch.conf) this fails to start up.
Workarounds seem to be as previously stated:
1) su to the splunk user and start it with /opt/splunkforwarder/bin/splunk start
OR
2) Revert to the old init script.
Either of these work.
Just wanted to point out this had not been fixed yet as of 6.1.3.
... View more