Splunk® Light

Installation Manual

Download manual as PDF

Download topic as PDF

Run Splunk Light as a non-root user

You can run Splunk Light as any user on the local system that has the appropriate permissions.

  • Read the files and directories that it is configured to monitor or index. Some files and directories require root or superuser access to be indexed.
  • Write to the Splunk Light directory and execute any scripts that are configured to work with your alerts of scripted inputs.
  • Bind to the network ports it monitors. Network ports below 1024 are reserved ports that only the root user can bind to.

On Windows

When you run the Windows installer for Splunk Light, you can select the user to run. The user that you select determines what data Splunk Light can monitor. The Local System user can access all data on the local machine, but nothing else. To run as other existing users, you need to define their access before you install Splunk Light.

You must install as a domain user to do any of the following actions.

  • Read Event Logs remotely.
  • Collect performance counters remotely.
  • Read network shares for log files.
  • Monitor Active Directory.

On Mac OSX and Linux

Follow these steps to run Splunk Light as a non-root user called splunkuser.

1. As the root user, create the user and group splunk.

  • On Mac OSX, use the System Preferences > Accounts panels to create the user splunkuser and group splunk.
  • On Linux, run the following commands:
useradd splunkuser
groupadd splunk

Note: The splunkuser requires access to /dev/urandom to generate the certs for the product.


2. As the root user, install Splunk Light using one of the packages that is not a tar file.

Note: After the installation finishes, do not start Splunk Light.

3. Change the ownership of the $SPLUNK_HOME directory and its contents to the splunk user.

chown -R splunkuser:splunk $SPLUNK_HOME

4. As splunkuser, start Splunk Light. You have two options to do this.

  • Log out from root and log in as splunkuser. Then, run:
$SPLUNK_HOME/bin/splunk start
  • Use sudo or su to start Splunk Light as splunkuser
sudo -H -u splunkuser $SPLUNK_HOME/bin/splunk start
PREVIOUS
Install Splunk Light using Linux
  NEXT
Install and deploy a universal forwarder for Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters