If you are using a dedicated user, make sure you are logged in as that user while setting up data sources. You can now start and stop it with systemd like this: Systemctl list-unit-files | grep -i splunk Now you will see it listed with this command: Sudo /opt/splunkforwarder/bin/splunk enable boot-start -systemd-managed 1 Run this while still logged in as the dedicated splunk user. It will also ask you to create a user and password to manage the forwarder.Įnable Splunk start on boot with systemd. Setup the SPLUNK_HOME and PATH environment variables for the current shell while also adding it to your bashrc file to make it persistent.Įcho export SPLUNK_HOME=/opt/splunkforwarder > ~/.bashrcĮcho export PATH=$PATH:$SPLUNK_HOME/bin > ~/.bashrcįor the first time starting, start the forwarder like this to accept the license without reading it. You will want to make sure that you are logged in as this user before starting for the first time and before enabling in systemd. You can also do this from the CLI if you want.Īssuming that you run splunk as the dedicated user “splunk” you will want become that user first.īecome the splunk user. Restart Splunk from the CLI on the Splunk indexer host ( where you installed Splunk Enterprise ): If already setup, you will see the port listed as “Enabled” here.This can be done from the GUI with the following steps. You need to enable receiving before you can actually receive data from your forwarders. NOTE - You should just swap in your own specific information In any place where we use an exact version number, IP address, or home directory path. We’re covering the following on this page: Before actually setting up the forwarder we are going to show you how to enable receiving on the indexer so that it will have something to connect to. This will allow you to send logs and data from a remote host to a centralized indexer. We’re going to show you how to setup the Splunk Universal Forwarder. Otherwise Splunk just becomes a lump painting us into a corner.įortunately we are still using init in production, I hope it stays that way.Splunk Universal Forwarder Install and Setup I'm hoping I can force a legacy startup until splunk can advise how to install Splunk Enterprise under a specific user and be able to restart Splunk when we need to as that user. Maybe sudo is the answer, but that will be a whole lot of servers to manage, does not fit in with the companies security policy, and getting root password is an absolute pain procedure wise. And if remotely restarting, perhaps a prompt for root password is not being seen, so Splunk cannot restart? Maybe an expect script over ssh a remote solution? but not ideal. So I wonder if systemd is causing a similar issue, as it appears to be forcing the Splunk service to be started as root and not the user that splunk was installed under. Similar issue if someone installs splunk as the default user (splunk), siem user could not start splunk until "chown -R siem:siem /opt/splunk" (These are rpm based systems still using init) This is a common issue for us in production and was caused by others upgrading systems and the way they shutdown and start the services, being none the wiser that this would then cause an issue with the Splunk installation. I say that because a "chown -R siem:siem /opt/splunk" fixed that issue and siem user could restart splunk again. Back when I used init instead it was important to restart splunk as the installation user, siem, otherwise splunk would not start properly, I think because somewhere under the installation tree under /opt/splunk, ownership of a file had changed, (lock file?). If I restart splunkd as my install user (which is called siem), I am prompted for root password, then a message says I have to restart as root using systemctl. I have the Debian package installed at home lab and it seems to use systemd as default now.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |