Run Splunk as a different or non-root user
Important: This topic is for non-Windows operating systems only. To learn how to install Splunk on Windows using a user, read "Choose the user Splunk should run as" in this manual.
You can run Splunk as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:
- Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
- Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
- Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).
Note: Because ports below 1024 are reserved for root access only, Splunk will only be able to listen on port 514 (the default listening port for syslog) if it is running as root. You can, however install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.
To run Splunk as a non-root user, you need to first install Splunk as
root. Then, before you start Splunk for the first time, change the ownership of the
splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user,
Note: In the following examples,
$SPLUNK_HOME represents the path to the Splunk installation directory.
1. Create the user and group,
For Linux, Solaris, and FreeBSD:
useradd splunk groupadd splunk
For Mac OS:
You can use the System Preferences > Accounts panel to add users and groups.
root and using one of the packages (not a tar file), run the installation.
Important: Do not start Splunk yet.
3. Use the
chown command to change the ownership of the
splunk directory and everything under it to the desired user.
chown -R splunk $SPLUNK_HOME
Note: You might also need to change the group ownership for files in the Splunk directory. If your system's
chown binary does not support changing group ownership of files, you can use the
chgrp command to do so. Refer to your system's man pages for additional information.
4. Start Splunk.
Also, if you want to start Splunk as the
splunk user while you are logged in as a different user, you can use the
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start
This example command assumes:
- If Splunk is installed in an alternate location, update the path in the command accordingly.
- Your system may not have
sudoinstalled. If this is the case, you can use
- If you are installing using a tar file and want Splunk to run as a particular user (such as
splunk), you must create that user manually.
splunkuser will need access to
/dev/urandomto generate the certs for the product.
Solaris 10 privileges
When installing on Solaris 10 as the
splunk user, you must set additional privileges to start
splunkd and bind to reserved ports.
splunkd as the
splunk user on Solaris 10, run:
# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk
To allow the
splunk user to bind to reserved ports on Solaris 10, run (as root):
# usermod -K defaultpriv=basic,net_privaddr splunk
Install on HP-UX
Start Splunk for the first time
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18