Solved: Re: What happens when we restart universal forward...

raj_mpl · ‎04-26-2019

Hi All,

So , What happens when I restart universal forwarder as root user on Linux . And Previously if done so what needs to be done if anything goes wrong

I am missing one of the log file on a particular host , but remaining logs from different sources are working fine from the same host
So restarted UF as root user ,but didn't worked

Any help ?

Thanks

FrankVl · ‎04-26-2019

Certain files will change owner, causing stuff to break when you then restart it under the regular user). Solution:

Stop the forwarder (as root)
chown the entire splunk directory to the correct user:group
Start the forwarder (as the correct user)

View solution in original post

FrankVl · ‎04-26-2019

Certain files will change owner, causing stuff to break when you then restart it under the regular user). Solution:

Stop the forwarder (as root)
chown the entire splunk directory to the correct user:group
Start the forwarder (as the correct user)

raj_mpl · ‎04-26-2019

Will that work ? And The missing log from a particular source will start indexing again if I restart the splunk UF as splunk user.

And what the thing called fish bucket .bat files in this scenario?

FrankVl · ‎04-26-2019

Not sure what the issue was with that specific log that failed to index. But in general, when a splunk instance that used to be running as a normal user, accidentally got restarted as root. What I posted is the solution to get things back to normal.

raj_mpl · ‎04-26-2019

Ok @FrankVl , Thanks for your quick response

Thank you 🙂

What happens when we restart universal forwarder as root user ?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio