I am sorry, but this sounds like a bad excuse for not thinking this through. I have never seen that it was popular, recommended or even supported to install the forwarder with the server. If you have any good links on this then please supply. If the docker people wants this, then create a solution for them, and leave the rest of us alone. Imagine all the automation (puppet, ansible, self coded and so on) that now have to be changed. Monitoring of the user and service needs to be changed. There must be a ton of code/checks/monitoring that needs to be changed. In regards to when this change was implemented, i did a quick install test (wiped each time): rpm -i splunkforwarder-7.3.0-657388c7a488-linux-2.6-x86_64.rpm - owner & group = splunk rpm -i splunkforwarder-8.0.4-767223ac207f-linux-2.6-x86_64.rpm - owner & group = splunk rpm -i splunkforwarder-8.2.6-a6fe1ee8894b-linux-2.6-x86_64.rpm - owner & group = splunk rpm -i splunkforwarder-9.0.0-6818ac46f2ec-linux-2.6-x86_64.rpm - owner & group = splunk rpm -i splunkforwarder-9.0.5-e9494146ae5c.x86_64.rpm - owner & group = splunk rpm -i splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm - owner & group = splunkfwd and just to verify i upgraded from 9.0.5 to 9.1.0.1 and yes the owner changed from splunk to splunkfwd. So be careful out there. To be fair support said that this should be fixed in coming 9.1.1 - retaining the previous user. Even the documentation uses "splunk" as the owner all the way from version 9.0 to 9.0.5 https://docs.splunk.com/Documentation/Forwarder/9.0.5/Forwarder/Installanixuniversalforwarder So i simply don't buy the excuse. Now if we are installing the 9.1.0.1 and wants to keep using "splunk" as the owner, we will have to manually , make the install, create "splunk" user, update the unit file, chown SPLUNK_HOME to splunk, update SPLUNK_OS_USER=splunk in splunk-launch.conf and then delete "splunkfwd", According to support. Just why. That said, good or bad reason, it does not change the fact that this is done out of the blue with no prior warning. Same happened with the change from initd/systemd and when you changed the service name. Sorry for the rant, it just makes me annoyed that this should have been handled completely different imo.
... View more