Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Secure your Linux universal forwarder with a least-privileged user

Installing a Splunk universal forwarder on Linux automatically creates a least-privileged user. This is a non-root user with permissions specific to the successful operation of the universal forwarder features and add-ons.

To install the universal forwarder with a least-privileged user, see Install a *nix universal forwarder.

Least-privileged users are created when you install or update any Linux installation packaging format, including, .deb, .rpm, and .tgz. formats.

The least-privileged user possesses AmbientCapabilities that lets the user operate universal forwarder features and common add-ons without permission issues. These capabilities are:

Capability Desc Use
CAP_DAC_READ_SEARCH Bypass file read permission checks and directory read and execute permission checks; Collects data from files outside of $SPLUNK_HOME
CAP_NET_ADMIN Perform various network-related operations:
  • perform interface configuration
  • administer IP firewall, masquerading, and accounting
  • modify routing tables
  • bind to any address for transparent proxying
  • set type-of-service (TOS)
  • clear driver statistics
  • set promiscuous mode
  • enable multicasting
Used by the Stream Forwarder
CAP_NET_RAW
  • Use RAW and PACKET sockets
  • bind to any address for transparent proxying
Used by the Stream forwarder


Disable, enable, or change least-privileged user

The least-privileged user is enabled automatically during installation or upgrade. You can manually enable or disable it. To disable it, stop Splunk and run:

[sudo] $SPLUNK_HOME/bin/splunk disable boot-start

This command removed the unit file as well as the startup file. This will remove unit files from both locations:

/usr/lib/systemd/system
/etc/systemd/system

To enable or overwrite an existing least-privileged user configuration, run:

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start

This command will grant least-privilege capabilities by default, and the unit file is created in the user level directory.

To change users, you must run this command again.

chown -R splunk:splunk $SPLUNK_HOME

Troubleshooting

JournalD input does not show results

If you are using a dedicated user ID, make sure the splunk user ID is in the correct group when starting Splunk using systemd.

Manually enable a least privilege user

If you encounter an error during installation that prevents the creation of a least-privileged user, you can use the following command to manually create or recreate the default least privileged user:

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -systemd-managed 1 -user <username> -group <groupname>

This creates a unit file with the following permissions:

######## Added for least privilege mode #########
NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
#############################################

Editing unit files

Splunk software potentially creates two unit files in two locations when you Install the least privileged user on a Linux machine. If you have error messages, you may have to check and edit both files. To locate both files run the following command:

 ./splunk display boot-start

Error messages

Error message Description
Cannot create file /usr/lib/systemd/system/SplunkForwarder.service: permission denied. You must create the unit file manually or the current user does not have permission to create the unit file.
Failed to auto-set default user. Please create the unit file manually. The system cannot find a valid Linux user.
Failed to create splunk unit file. Please create the unit file manually Usually a system error, for example, the system cannot create the folder, create the startup file, or reload systemd.

Reference

About the unit files created for the least privileged user

Splunk software potentially creates two unit files in different locations when you Install the least-privileged user on a Linux machine.

  • If the first unit file is created successfully at installation, no further unit files are created.
  • If the first file fails during installation, another file is created on the user level in the local folder.
  • If you use the [sudo] $SPLUNK_HOME/bin/splunk enable boot-start command after a least privileged user is created, a new file is created locally. This either creates a new file in the local directory or overwrites any local file that exists.
  • The local file takes precedence over the system file.

To see your unit files and their location in your environment, you can run Splunk display boot-start.

/usr/lib/systemd/system where services are provided by installed packages This is automatically created during installation, and can be overwritten during upgrade or by running [sudo] $SPLUNK_HOME/bin/splunk enable boot-start
/etc/systemd/system where system-wide user services are placed by the system administrator Created when running splunk enable boot-start -systemd-managed 1

Reference unit file template

This is an example of a unit file template. You can use it to manually create a unit file.

#This unit file replaces the traditional start-up script for systemd
#configurations, and is used when enabling boot-start for Splunk on
#systemd-based Linux distributions.

[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network.target

[Service]

######## Added for least privilege mode #########
NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
#############################################

Type=simple
Restart=always
ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd
KillMode=mixed
KillSignal=SIGINT
TimeoutStopSec=360
LimitNOFILE=65536
SuccessExitStatus=51 52
RestartPreventExitStatus=51
RestartForceExitStatus=52
User=splunk
Group=splunk
Delegate=true
CPUShares=1024
MemoryLimit=<value>
PermissionsStartOnly=true
ExecStartPost=/bin/bash -c "chown -R splunker:splunker /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R splunker:splunker /sys/fs/cgroup/memory/system.slice/%n"

[Install]
WantedBy=multi-user.target
Last modified on 27 February, 2024
 

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters