Solved: Re: How to change permissions on Splunk log files?

dshakespeare_sp · ‎01-22-2015

I have a need to monitor splunk logs with other applications, therefore I would like to change all (existing and newly created ones) splunk logs' permission from 600(rw- --- ---) to 604(rw- --- r--).
Is there a good way to accomplish this ?

This needs to work for all files, both new and existing.
I have tried setting "umask" etc, but nothing I have tried seems to work.

Any Ideas?

dshakespeare_sp · ‎01-22-2015

As this only affects the $SPLUNK_HOME/var/log files the following has worked for some customers

"splunk stop"
chmod -R 604 <$SPLUNK_HOME/var/log/splunk> (change existing file)
setfacl -Rmd:other:r <$SPLUNK_HOME/var/log> (set ACLs on directory so all new files are created 604)
"splunk start"

View solution in original post

jmackie · ‎05-27-2018

If Splunk's official response to this is 'use setfacl' and not "we should be obeying the umask set for the user Splunk runs as", that's pretty awful from a system administrators point of view.

dshakespeare_sp · ‎01-22-2015

As this only affects the $SPLUNK_HOME/var/log files the following has worked for some customers

"splunk stop"
chmod -R 604 <$SPLUNK_HOME/var/log/splunk> (change existing file)
setfacl -Rmd:other:r <$SPLUNK_HOME/var/log> (set ACLs on directory so all new files are created 604)
"splunk start"

How to change permissions on Splunk log files?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...