Run Splunk Light as a non-root user
You can run Splunk Light as any user on the local system that has the appropriate permissions.
- Read the files and directories that it is configured to monitor or index. Some files and directories require root or superuser access to be indexed.
- Write to the Splunk Light directory and execute any scripts that are configured to work with your alerts of scripted inputs.
- Bind to the network ports it monitors. Network ports below 1024 are reserved ports that only the root user can bind to.
When you run the Windows installer for Splunk Light, you can select the user to run. The user that you select determines what data Splunk Light can monitor. The Local System user can access all data on the local machine, but nothing else. To run as other existing users, you need to define their access before you install Splunk Light.
You must install as a domain user to do any of the following actions.
- Read Event Logs remotely.
- Collect performance counters remotely.
- Read network shares for log files.
- Monitor Active Directory.
On Mac OSX and Linux
Follow these steps to run Splunk Light as a non-root user called
1. As the
root user, create the user and group
- On Mac OSX, use the System Preferences > Accounts panels to create the user
- On Linux, run the following commands:
useradd splunkuser groupadd splunk
splunkuser requires access to
/dev/urandom to generate the certs for the product.
2. As the
root user, install Splunk Light using one of the packages that is not a tar file.
Note: After the installation finishes, do not start Splunk Light.
3. Change the ownership of the
$SPLUNK_HOME directory and its contents to the
chown -R splunkuser:splunk $SPLUNK_HOME
splunkuser, start Splunk Light. You have two options to do this.
- Log out from
rootand log in as
splunkuser. Then, run:
suto start Splunk Light as
sudo -H -u splunkuser $SPLUNK_HOME/bin/splunk start
Install Splunk Light using Linux
Install and deploy a universal forwarder for Splunk Light
This documentation applies to the following versions of Splunk® Light: 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1