Solved: Am I breaking any best practices doing a chmod to ...

jwalzerpitt · ‎11-03-2014

I would like to configure Splunk to monitor some log files in var/log and when i go to add data and select the directory I am not seeing all of the logs and the reason is the Splunk user I create does not have rights to see the relevant logs. I was thinking about doing a chmod to grant the Splunk user access to the log files, but if I do that will I breaking any best practices regarding accessing Linux log files?

Thx

frmaasdam · ‎11-03-2014

Two possibilities here:
1. Make user Splunk member of the GID of your logfiles. Group adm? But be sure (regarding a bug) that you start your Splunk instance using su -u splunk -c
2. Or do a setfacl on the requested log files so that user splunk has the rights to execute and read the files.

View solution in original post

jwalzerpitt · ‎11-03-2014

Thx for the info and options

frmaasdam · ‎11-03-2014

Two possibilities here:
1. Make user Splunk member of the GID of your logfiles. Group adm? But be sure (regarding a bug) that you start your Splunk instance using su -u splunk -c
2. Or do a setfacl on the requested log files so that user splunk has the rights to execute and read the files.

Am I breaking any best practices doing a chmod to grant a Splunk user access to Linux log files?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases