Deployment Architecture

SSH login gets disable whenever splunk forwarder starts

mandarpim
New Member

Dear Concern,

We have a distributed environment of Splunk, where we forward data to indexer via heavy forwarders. Also we have a deployment server which control the operation as well as the changes done on all forwarders centrally.

We came to know one strange issue, we received a couple of new fresh boxes and when we install forwarders on it, after few seconds when it sync back to deployment server, we can't able to SSH to those servers from deployment servers.

So, whenever we start slunkd service on those server, SSH login gets disabled from deployment server. We need these connectivity as to push new config changes and managing purpose.

SSH login won't allow untill we kill the splunk forwarder service.

Let me know if anyone face the issue same ? Let me know if your need anything more here...

Thanks in Advance.

0 Karma

robgora_deloitt
Path Finder

I would recommend always running Splunk as the Splunk User. This way Splunk is controlled by a completely different user than everything else in the system. Make sure to have all files and directory to be set to splunk for the user owner and splunk for the group owner.

This should make it so the Splunk service should not affect any other service on the system.

0 Karma

robgora_deloitt
Path Finder

What user do you have Splunk UF running as?

0 Karma

mandarpim
New Member

We used Jboss user across environment and having a password less auth everywhere.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...