Hi,
we want to deploy universal forwarders to solaris 10 machines.
For security reasons, we want to keep the number of applications running with root priviledges as low as possible, and would prefer to run the forwarder as the user "splunk".
We need to index the contents of the file "/var/log/authlog", which is only readable for "root":
-rw------- 1 root sys 34M Sep 14 08:42 authlog
We tried to add splunk to the group "sys", and make the file readable to the group, but this is not working as the process writing "authlog" resets the permission each time authlog is written to.
Is there a way to work around this, or is the only solution to run splunk with root priviledges?
Thanks,
Christoph
... View more