Monitoring Splunk

Splunk Add Monitor Command Error: Why is "Parameter name: Path is not readable"?

rogue_carrot
Communicator

Hello Team Splunk,

I am trying to add a monitor to a log file. When I do this as either the 'splunk' user or the 'root' user I receive the following error: "Parameter name: Path is not readable." I noticed that as the 'splunk' user I cannot read the file with the vi program. However I can read the file as the root user. So why would I receive this error if the 'root' user can read the file and I am running the ./splunk program as 'root'. I also noticed that the log files I am trying to forward are on a network file system that is mounted on the operating system (OS). I am not sure if this mount makes a difference or not.

Also, I noticed I can add the entire directory but not the specific file I want to forward to the indexer. Also, when I monitor the entire directory the indexer only monitors some other out of date log file and not the log file I am after. 0_o I noticed that the files in this directory are executable except for the specific log file I am trying to monitor.

Regards,

rogue_carrot

Tags (2)
0 Karma
1 Solution

rogue_carrot
Communicator

I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/

View solution in original post

0 Karma

rogue_carrot
Communicator

I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/

0 Karma

amiftah
Communicator

As Best Practice you should configure your systems to run the software as a non-root user
Try to change the ownership of the $SPLUNK_HOME directory to the user that you want Splunk software to run as.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Installation/RunSplunkasadifferentornon-rootuser

rogue_carrot
Communicator

Thank-you for the reply. 🙂 I stopped the running splunk process that was executing as root and restarted the splunk process as the splunk user.

0 Karma

rogue_carrot
Communicator

I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...