Security

How should I configure a Splunk instance to run smoothly as a regular Splunk user versus root?

michael_lee
Path Finder

I find that I encountered more problems running splunk instances as the user splunk than using root. When I use splunk to start a Splunk instance, the receiving port that I use to listen to incoming forwarded data could not be started up. When I use root to start Splunk instance, then everything works. So, should I be running Splunk instance with root or not? If not, how should I configure Splunk instance to run smoothly user a normal user account.

Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi michael_lee,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 800 with Splunk inputs, create a new Splunk tcp input on port 1800 and use a iptables rule to route input for port 800 to the Splunk port 1800:

   /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 800 -j REDIRECT --to-ports 1800

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

michael_lee
Path Finder

thanks. so what should be running on port 800? is port 800 in your example a service?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

As a note here, Splunk by default uses ports > 1024, which dont require priv to open. For example the default web port is TCP/8000 and the Default SplunkIn port is TCP/9997.

In cases where you want to use ports < 1024, you will need root or super user level access to do this.

0 Karma

MuS
SplunkTrust
SplunkTrust

Another side note, this post from @Gilles http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 provides three possible solutions for this. From my point of view the docs http://docs.splunk.com/Documentation/Splunk/6.3.2/installation/RunSplunkasadifferentornon-rootuser should be modified in this regard - I'll ping @docs

0 Karma

MuS
SplunkTrust
SplunkTrust

This is the port Splunk will open for your input and it's just an example, instead of foo I used 800.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...