- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- splunk starting as root user how to change this on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Slunk starting as root user, I used chown -R splunk;splunk /opt/splunk/ and its caousing errors when I try to restart splunk using splunk user. How to resolve this?
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
splunkd.pid file is unreadable. [FAILED]
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied
Splunk> Australian for grep.
Checking prerequisites...
Checking http port [8000]: already bound
ERROR: The http port [8000] is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)
The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331,
You'll want convert to running as the Splunk user in a specific order:
1. Stop Splunk
2. chown -R splunk: /opt/splunk
3. splunk enable boot-start -user splunk
4. chown root:splunk /opt/splunk/etc/splunk-launch.conf (We want to ensure the Splunk user cannot tell itself to run as root, see: https://github.com/MattUebel/splunk_UF_hardening)
The issue you have is Splunk was potentially writing out files after your chown as root still and the pidfile not readable by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
neat answer, thank you
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
