Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk User is Created automatically when i done a splunk installation ??

rakesh_498115
Motivator
‎08-26-2013 06:38 AM

Hi ,

I have used a rpm installation of SPLUNK Forwarder 5.0.4 and installed in my linux server ,upon installation i could see a user created as "splunk" and group name as "splunk" , is this the expected behaviour ?? How can i stop creating a user for this and use my own user for this installation ?

Tags (2)
0 Karma
Reply

lcrielaa
Communicator
‎08-26-2013 11:30 PM

An RPM is like an MSI for Windows. It contains the software and any instructions needed to run the software. In this case, Splunk packaged their RPM to create a user called Splunk because it's safer to run Splunk as a non-root user. This does come at a disadvantage (such as not being able to bind ports under 1024).

If you want to use the RPM (because you should if you're running Redhat, Centos, etc. etc.) but you don't want the user, then I suggest simply removing the user/group and chown the splunk directory

userdel splunk
groupdel splunk
chown -Rh $newuser.$newgroup /opt/splunk (eg. chown -Rh splunker.splunker /opt/splunk)

This will remove the splunk user, delete the splunk group and set the ownership of /opt/splunk (and anything under it) to your new user. You will have to create that specific user and group first though.

Rebuilding the forwarder RPM is a pain to do. To do it properly, you'd need the source RPM which we don't have. Also, if you were to extract the existing package, edit the post-installation triggers to stop the creation of the Splunk user then you'd have to rebuild the package but you wouldn't be able to sign it with Splunk's GPG key. So you'd have to leave it unsigned or use a key of your own which is trusted by your systems.

All in all, if you don't want the splunk user on your system then just remove it and make sure that files are owned by another user instead or use the tarball which you can simply extract to a certain directory and just run Splunk.

Reply

lherrera
Splunk Employee
Splunk Employee
‎08-05-2021 11:06 AM

Which is the password for that Splunk user that RPM creates?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-05-2021 11:46 AM
It haven’t any password. Rpm installation just create that group and user. I prefer to create additional non login user w/o password and use it. Just do sudo -u USER bash to use it when needed.
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-26-2013 07:47 AM

Yes, this is expected behaviour for an RPM installation.

If you install via the .tgz download instead, no account is created.

See more on that here;

http://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonLinux

UPDATE:

See further in the docs;

http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser

I'm not a RPM savvy enough to tell you if/how you can rebuild the package to automatically install as a specific user account.

/K

Reply

rakesh_498115
Motivator
‎08-26-2013 08:06 AM

What if need to dont want the user to be created ?? and want to run my defined user for rpm installation ??

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...