Run Splunk as a non-root user
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk:
3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Run Splunk as a non-root user
Splunk can run as any user on the local system.
If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:
- Read the files and directories it is configured to watch
- Some log files and directories may require root or superuser access to be indexed
- Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to)
- UDP port 514 is the port for syslog data
- Execute any scripts configured to work with your alerts or scripted input
Start Splunk as a non-root user
To run Splunk as the splunk user run the command:
sudo -H -u splunk /opt/splunk/bin/splunk start
Note: This is an example command, and makes some assumptions:
- If Splunk is installed in an alternate location, update the path in the command accordingly.
- Your system may not have
sudo installed. If this is the case, you can use su.
- If you are installing using a tarball and want Splunk to run as a particular user (such as
splunk), you must create that user manually.