Solved: Re: Why is the forwarder unable to read logs owned...

thirulog · ‎12-04-2017

I have a Splunk forwarder under oraepm functional user and I am trying to read logs that are owned by a different functional userid.

Do I need to install one more Splunk forwarder with the new userid?

lycollicott · ‎12-04-2017

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

View solution in original post

richgalloway · ‎12-04-2017

Installing more than one forwarder on a system is complicated and usually doesn't work as expected.
The preferred solution is to use ACLs to grant user oraepm read access to the logs.

---
If this reply helps you, Karma would be appreciated.

thirulog · ‎12-04-2017

thank you I have grant user oraepm read access to the logs.

lycollicott · ‎12-04-2017

Others will probably disagree with me, but a Universal Forwarder should run as a privileged account or member of a privileged group.

If that is not palatable to you or your organization then add oraepm to the group which ownes the logs it cannot read.

thirulog · ‎12-04-2017

thank you I have grant user oraepm read access to the logs.

Why is the forwarder unable to read logs owned by a different functional user ID?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases