Configure capabilities
As of Splunk Universal forwarder 9.0.1, the capability roles for the forwarder access the forwarder have been reduced. In previous releases, the Splunk Universal forwarder provided three capabilities enabled:
- CAP_DAC_READ_SEARCH
- CAP_NET_ADMIN
- CAP_NET_RAW
As of version 9.0.1 these three capabilities have been reduced down to one:
- CAP_DAC_READ_SEARCH
However, Splunk Stream 8.1 still needs the CAP_NET_ADMIN and CAP_NET_RAW capabilities to function properly. You must specify these capabilities in the Splunk universal forwarder systemd service unit file.
To change the Splunk Universal forwarder systemd service unit file to add the additional capabilities needed for Stream:
- Locate of Splunk Universal forwarder systemd service unit file using the following command:
$SPLUNK_HOME/bin/splunk display boot-start
- If you haven't enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
/lib/systemd/system/SplunkForwarder.service
. - If you have enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
/etc/systemd/system/SplunkForwarder.service
- If you haven't enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at
- Edit Splunk Universal forwarder systemd service unit file and edit the line:
AmbientCapabilities=CAP_DAC_READ_SEARCH
To:CAP_NET_ADMIN and CAP_NET_RAW AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
- Reload the systemd daemon for the unit file change to take effect:
sudo systemctl daemon-reload
- Restart the Splunk universal forwarder:
sudo $SPLUNK_HOME/bin/splunk restart
This documentation applies to the following versions of Splunk Stream™: 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!