Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Run Splunk as non-root user

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Run Splunk as non-root user

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:

  • Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
  • Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
  • Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).

Note: Because ports below 1024 are reserved for root access only, Splunk will only be able to listen on port 514 (the default listening port for syslog) if it is running as root. You can, however install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.

Instructions

To run Splunk as a non-root user, you need to first install Splunk as root. Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user, splunk.

1. Create the user and group, splunk.

For Linux, Solaris, and FreeBSD: 

useradd splunk
groupadd splunk

For Mac OS:

You can use the System Preferences > Accounts panel to add users and groups.

2. As root and using one of the packages (not a tarball), run the installation.

Important: Do not start Splunk yet.

3. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user. 

chown -R splunk $SPLUNK_HOME/

Note: $SPLUNK_HOME refers to installation directory of Splunk.

4. Start Splunk. 

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk as the splunk user while you are logged in as a different user, you can use the sudo command: 

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

This example command assumes:

  • If Splunk is installed in an alternate location, update the path in the command accordingly.
  • Your system may not have sudo installed. If this is the case, you can use su.
  • If you are installing using a tarball and want Splunk to run as a particular user (such as splunk), you must create that user manually.
  • The splunk user will need access tp /dev/urandom to generate the certs for the product.


Solaris 10 privileges

When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run: 

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root): 

# usermod -K defaultpriv=basic,net_privaddr splunk
Retrieved from "http://www.splunk.com/base/Documentation/3.4.10/Installation/RunSplunkAsNonrootUser"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.