Run Splunk Enterprise as a different or non-root user
On *nix based systems, you can run Splunk Enterprise as a user other than root. This is a Splunk best practice and you should configure your systems to run the software as a non-root user where possible.
If you run Splunk software as a non-root user, confirm that the software can perform the following:
- Read the files and directories that you configure it to monitor. Some log files and directories might require root or superuser access to be indexed.
- Write to the Splunk Enterprise directory and execute any scripts configured to work with your alerts or scripted input. See Configure a script for an alert action in the Alerting Manual or Get data from APIs and other remote data interfaces through scripted inputs in Getting data in.
- Bind to the network ports it is listening on. Network ports below 1024 are reserved ports that only the root user can bind to.
Because network ports below 1024 are reserved for root access only, Splunk software can only listen on port 514 (the default listening port for syslog) if it runs as root. You can, however, install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.
Set up Splunk software to run as a non-root user
- Install Splunk software as the root user, if you have root access. Otherwise, install the software into a directory that has write access for the user that you want Splunk software to run as.
- Change the ownership of the
$SPLUNK_HOME
directory to the user that you want Splunk software to run as. - Start the Splunk software.
Example instructions on how to install Splunk software as a non-root user
In this example, $SPLUNK_HOME
represents the path to the Splunk Enterprise installation directory.
- Log into the machine that you want to install Splunk software as root.
- Create the
splunk
user and group.
On Linux:useradd splunk groupadd splunk
On Mac OS: You can use the System Preferences > Accounts System Preferences panel to add users and groups.
- Install the Splunk software, as described in the installation instructions for your platform. See Installation instructions.
Do not start Splunk Enterprise yet.
- Run the
chown
command to change the ownership of thesplunk
directory and everything under it to the user that you want to run the software.
chown -R splunk:splunk $SPLUNK_HOME
If the
chown
binary on your system does not support changing group ownership of files, you can use thechgrp
command instead. See theman
pages on your system for additional information on changing group ownership. - Become the non-root user.
su - <user>
You can also log out of the root account and log in as that user.
- Start the Splunk software.
$SPLUNK_HOME/bin/splunk start
Use sudo to start or stop Splunk software as a different user
If you want to start Splunk Enterprise as the splunk
user while you are logged in as a different user, you can use the sudo
command.
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start sudo -H -u splunk $SPLUNK_HOME/bin/splunk stop
This example command assumes the following:
- That Splunk Enterprise has been installed in the default installation directory. If Splunk Enterprise is in an alternate location, update the path in the command accordingly.
- That your system has the
sudo
command available. If this is not the case, usesu
or get and installsudo
. - That you have already created the user that you want Splunk software to run as.
- That the
splunk
user has access to the/dev/urandom
device to generate the certificates for the product.
Further reading
- To configure Splunk software to run at boot time as a non-root user, see Enable boot-start as a non-root user in the Admin Manual.
- To learn how to install Splunk Enterprise on Windows using a user that is not an administrator, see Choose the user Splunk Enterprise should run as.
- To learn how to change the Windows user that Splunk Enterprise services use, see Change the user selected during Windows installation.
Install on Mac OS X | Deploy and run Splunk Enterprise inside a Docker container |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!