Solved: How to change permissions on Splunk log files?

dshakespeare_sp · ‎01-22-2015

I have a need to monitor splunk logs with other applications, therefore I would like to change all (existing and newly created ones) splunk logs' permission from 600(rw- --- ---) to 604(rw- --- r--).
Is there a good way to accomplish this ?

This needs to work for all files, both new and existing.
I have tried setting "umask" etc, but nothing I have tried seems to work.

Any Ideas?

dshakespeare_sp · ‎01-22-2015

As this only affects the $SPLUNK_HOME/var/log files the following has worked for some customers

"splunk stop"
chmod -R 604 <$SPLUNK_HOME/var/log/splunk> (change existing file)
setfacl -Rmd:other:r <$SPLUNK_HOME/var/log> (set ACLs on directory so all new files are created 604)
"splunk start"

View solution in original post

jmackie · ‎05-27-2018

If Splunk's official response to this is 'use setfacl' and not "we should be obeying the umask set for the user Splunk runs as", that's pretty awful from a system administrators point of view.

dshakespeare_sp · ‎01-22-2015

As this only affects the $SPLUNK_HOME/var/log files the following has worked for some customers

"splunk stop"
chmod -R 604 <$SPLUNK_HOME/var/log/splunk> (change existing file)
setfacl -Rmd:other:r <$SPLUNK_HOME/var/log> (set ACLs on directory so all new files are created 604)
"splunk start"

How to change permissions on Splunk log files?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases