So here is the issue. We set up an account in Linux that can access these files when you are logged on to the box as Splunk. Permissions are correct. But when the Splunk Universal forwarder tries to access them it gets permission denied.
01-25-2017 14:17:55.326 +0000 WARN FilesystemChangeWatcher - error reading directory "/user_projects/domains/pgcprd/servers/pgc-01": Permission denied
I have found a work currently the Splunk account has
groups=880(splunk),600(dba),1201(buildgrp)
but if i change it to
group=600(dba),1201(buildgrp),880(splunk)
it works fine.
Is there an issue with Splunk being a member of more than one group?
... View more