Run Splunk as a different or non-root user
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Run Splunk as a different or non-root user
You can run Splunk as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:
- Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
- Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
- Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).
Note: Because ports below 1024 are reserved for root access only, Splunk will only be able to listen on port 514 (the default listening port for syslog) if it is running as root. You can, however install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.
Instructions
To run Splunk as a non-root user, you need to first install Splunk as root. Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user, splunk.
Note: In the following examples, $SPLUNK_HOME represents the path to the Splunk installation directory.
1. Create the user and group, splunk.
For Linux, Solaris, and FreeBSD:
useradd splunk groupadd splunk
For Mac OS:
You can use the System Preferences > Accounts panel to add users and groups.
2. As root and using one of the packages (not a tarball), run the installation.
Important: Do not start Splunk yet.
3. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user.
chown -R splunk $SPLUNK_HOME
4. Start Splunk.
$SPLUNK_HOME/bin/splunk start
Also, if you want to start Splunk as the splunk user while you are logged in as a different user, you can use the sudo command:
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start
This example command assumes:
- If Splunk is installed in an alternate location, update the path in the command accordingly.
- Your system may not have
sudoinstalled. If this is the case, you can usesu. - If you are installing using a tarball and want Splunk to run as a particular user (such as
splunk), you must create that user manually. - The
splunkuser will need access to/dev/urandomto generate the certs for the product.
Solaris 10 privileges
When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.
To start splunkd as the splunk user on Solaris 10, run:
# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk
To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):
# usermod -K defaultpriv=basic,net_privaddr splunk
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.
Comments
> Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user.
Why? Why is this so important to do the first time, and not later? Does Splunk do something internally with this information? Why can't I start as root now, play with it for a bit, and then `chown -R splunk $SPLUNK_HOME` and restart it later? I've run hundreds of servers on Linux, and this is the first that requires that I change the ownership before I start the daemon for the first time.
NOTE FOR COMMENT BELOW.
It seems that comments posted here are not allowed to contain brackets (less-than and greater-than). This makes my previous comment hard to read.
The 'rpm -i' (and 'dpkg -i') lines mentioned are to be read
rpm -i THE-NAME-OF-THE-INSTALLATION-FILE.rpm
The line for changing the admin password should read
su splunk -c "/opt/splunk/bin/splunk edit user admin -password THE-NEW-PASSWORD -auth admin:changeme"
Sorry for that
Assuming you have RPM and want to install as the non-root user 'splunk', the following installation script may be simple and helpful. Note that the 'splunk' account gets created by the RPM installer. For Debian, change the first line to "dpkg -i .deb".
Place the script in the same directory as the installation file. Replace text between brackets. Run as root
### Script starts below this line ###
#!/bin/sh
rpm -i .rpm
chown -R splunk:splunk /opt/splunk
su splunk -c "/opt/splunk/bin/splunk start --accept-license"
/opt/splunk/bin/splunk enable boot-start -user splunk
su splunk -c "/opt/splunk/bin/splunk edit user admin -password -auth admin:changeme"
/etc/init.d/splunk restart
#OPTIONAL: to let Splunk read files owned by 'root' (such as some /var/log stuff) consider the following:
# /usr/sbin/usermod -a -G root splunk
### Script ends above this line ###
This is basically it, should work for most cases.
BE CAREFUL!
Running "chown -R splunk $SPLUNK_HOME/" as root can be very dangerous if $SPLUNK_HOME is not properly defined.. This is a very dangerous command to have casually listed in these instructions..
There is one additional piece if you use the init script (aka 'boot-start'):
http://splunk-base.splunk.com/answers/13841/splunk-startup-script-start-as-splunk-user
It would probably be good to include that here.
hi Richard, this is what i found on our community wiki about running under selinux:
http://www.splunk.com/wiki/Community:SplunkOnSELinux
Given that I accomplished the above, until "splunk start", Splunk will not start yet because of SELinux. Is there any knowledge on "setting the 'SPLUNK_IGNORE_SELINUX' environment variable"? I'm using Fedora.
When running as user splunk, I am unable to collect events from root-owned files such as /var/log/secure. Per advice above I executed the following command and it did add slunk to the root group in /etc/group.
/usr/sbin/usermod -a -G root splunk
Suggestions appreciated..