Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

default umask for file creation on OS

chicodeme
Communicator
‎07-21-2011 01:19 PM

Splunk runs as root so it has access to monitor anything on the system without managing those permissions.
I ran this
find /opt/splunk/ -type d -exec chmod g+s {} \;
The files get created:
-rw------- 1 root splunk filename
I want to have it
-rw-rw---- 1 root splunk filename

Any ideas besides change the root user default umask?

Tags (1)
Reply

southeringtonp
Motivator
‎07-06-2012 07:46 AM

One option would be to run Splunk as a non-root user, and set the umask on the Splunk account. You would need to make sure all log files are viewable by the Splunk account, of course.

If you do need to run Splunk as root, POSIX ACLs may be your answer. Something like the following:

# Make sure all existing files are group-owned by Splunk. Set the filesystem
# ACL to allow the Splunk group as the default for new files, and set the 
# same ACL on currently existing files.
cd /opt/splunk/etc/apps
sudo setfacl -R -b .
sudo chown -R splunk:splunk .
sudo setfacl -R -d -m g:splunk:rwx .
sudo setfacl -R -m g:splunk:rwx .

# Then repeat the above for /opt/splunk/etc/system/local or other paths as desired.
Reply

southeringtonp
Motivator
‎07-06-2012 08:28 AM

Agreed that a configurable umask setting in Splunk would be a big plus. (Time to file an ER!).

The distinction with using POSIX ACLs instead of traditional permissions is that you should only have to do it once. If you set the default ACL, I believe that it should inherit down as new files/directories are created by Splunk (Contrast that with the find/chmod approach, which you have to do over and over again as Splunk creates and modifies files in local.)

0 Karma
Reply

chicodeme
Communicator
‎07-06-2012 07:55 AM

I was looking more for a setting from a Splunk config. Managing Acls is along the same lines as having to manage permissions. Also, I have SunOS, AIX, & Linux to manage. I should have been more specific in my question. Thanks for the feedback though.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...