- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- splunk - permission issue - read new log with -rw-...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
Currently I am trying to train splunk to monitor some logs in a directory.
1.The permission on the directory is drwxr-xr-x,
2. and the logs inside the directory is -rw-------
3. So I do chmod +r // -R. After the change, file permission become -rw-r--r--, and splunk can read these log files without problem.
4. However, each time the application generates new logs file, new log files will be written as -rw------- again.
So how can we get splunk to monitor these log files? Or do we have to add the read permission on the entire directory permanently? So that all new log files generated will automatically inherit the "-rw-r--r--" permission.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:
setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>
R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.
The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I just need to force ACL on the directory, so when new log files been generated, they will still inherit the permission of their parent directory:
setfacl -Rdm o::rx /<your directory path>
setfacl -Rm o::rx /<your directory path>
R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.
The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need a permanent fix that will allow Splunk to read the files within the directory. Splunk cannot bypass the operating system security.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
