Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Run Splunk Enterprise as a different or non-root user

Important: This topic is for non-Windows operating systems only.

You can run Splunk Enterprise as any user on the local system. It is a Splunk best practice to run Splunk software as a non-root user.

If you run Splunk software as a non-root user, confirm that it can:

  • Read the files and directories that you configure it to monitor. Some log files and directories might require root or superuser access to be indexed.
  • Write to the Splunk Enterprise directory and execute any scripts configured to work with your alerts or scripted input.
  • Bind to the network ports it is listening on. Network ports below 1024 are reserved ports that only the root user can bind to.

Because network ports below 1024 are reserved for root access only, Splunk software can only listen on port 514 (the default listening port for syslog) if it runs as root. You can, however, install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.

Set up Splunk software to run as a non-root user

  1. Install Splunk software as the root user, if you have root access. Otherwise, install the software into a directory that has write access for the user that you want Splunk software to run as.
  2. Change the ownership of the $SPLUNK_HOME directory to the user that you want Splunk software to run as.
  3. Start the Splunk software.

Example instructions on how to install Splunk software as a non-root user

In this procedure, $SPLUNK_HOME represents the path to the Splunk Enterprise installation directory.

  1. Log into the machine that you want to install Splunk software as root.
  2. Create the splunk user and group.
    On Linux, Solaris, and FreeBSD:
    useradd splunk
    groupadd splunk
    

    On Mac OS: You can use the System Preferences > Accounts System Preferences panel to add users and groups.

  3. Install the Splunk software, as described in [Chooseyourplatform|Installation instructions].

    Do not start Splunk Enterprise yet.

  4. Run the chown command to change the ownership of the splunk directory and everything under it to the user that you want to run the software.
    chown -R splunk:splunk $SPLUNK_HOME
    

    If the 'chown' binary on your system does not support changing group ownership of files, you can use the 'chgrp' command instead. See the 'man' pages on your system for additional information on changing group ownership.

  5. Become the non-root user.
    su - <user>
    

    You can also log out of the root account and log in as that user

  6. Start the Splunk software.
    $SPLUNK_HOME/bin/splunk start
    

Use sudo to start or stop Splunk software as a different user

If you want to start Splunk Enterprise as the splunk user while you are logged in as a different user, you can use the sudo command.

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start
sudo -H -u splunk $SPLUNK_HOME/bin/splunk stop

This example command assumes the following:

  • That Splunk Enterprise has been installed in the default installation directory. If Splunk Enterprise is in an alternate location, update the path in the command accordingly.
  • That your system has the sudo command available. If this is not the case, use su or get and install sudo.
  • That you have already created the user that you want Splunk software to run as.
  • That the splunk user has access to the /dev/urandom device to generate the certificates for the product.

Additional privileges and network ports required for installation on Solaris 10

When installing Splunk Enterprise on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

usermod -K defaultpriv=basic,net_privaddr splunk
PREVIOUS
Install on HP-UX
  NEXT
Start Splunk Enterprise for the first time

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14


Comments

Hi Rmaus,<br /><br />I agree with your assessment and have made the updates you suggested.<br /><br />Thanks.

Malmoore
July 28, 2014

Item 4 can be interpreted in an ambiguous manner resulting in the unintended effect of starting Splunk as user 'root' (which defeats the whole purpose of this page) since the previous steps, either directly or indirectly, imply running as user 'root' and there is no indication in item 4 to the contrary.<br /><br />I suggest rewriting all the items more explicitly with the following preambles:<br />* Items 1 through 3: "As user 'root', ..."<br />* Item 4 : "As non-root user, 'splunk', ..."

Rmaus
July 25, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters