usr/bin/setfacl -m g:splunk:r /var/log/messages You can deploy this file automatically when provisioning new servers in the future.Ĭreate a file in that folder and name it splunk_logaccess or anything that helps you identify it. We will try not to modify /etc/nf directly and add a custom file instead. Linux rotates its logs following a configuration that is defined in /etc/nf and it also reads and applies everything defined in /etc/logrotate.d/. However, it is not yet sufficient as next time the file will rotate, this will disappear. This shows us that the Splunk group has been added to the list, and we can monitor this root-owned file in Splunk. # group: log]# setfacl -m g:splunk:r log]# getfacl messages Go to the /var/log folder and use getfacl command on the messages file: log]# getfacl messages In our case, let’s pretend we have root access and we can directly change the permissions. This can also be solved by asking your Linux admin, if you’re not the owner of the server. The downside is that you need to have root access or a sudo role to be able to modify the file’s permissions. While there are different ways to go about solving these permission issues, ACLs have been created specifically for this scenario. The Solution: Access Control Lists (ACLs) Splunk user will not be able to read this file. Here we can definitely see that only Root has got read and write permissions on that file. 1 root root 0 Sep 22 02:10 messagesĪs a reminder you can use UGO to figure out how the permissions work: You should find this event: 09-24-2019 19:39:45.847 +0100 WARN TailReader - Insufficient permissions to read file='/var/log/messages' (hint: Permission denied, UID: 1001, GID: 1001).Īt the Linux level, you can check the permissions with the command: You can add host="" if you’re not monitoring locally. Use this command to find the warnings: index="_internal" file='/var/log/messages' log_level="WARN" component=TailReader Let’s take /var/log/messages as an example. The issue: Insufficient permissions to read root-owned files
A much better solution is to use Access Control Lists, as described below. Your Splunk instance or user could be compromised and be used for a privilege escalation on the server. However, this is not the best solution as it opens the way to a lot of trouble. Some people would dismiss this problem by adding their Splunk user to the root/admin group. I am looking forward to your expert opinion.The first challenge you may encounter when trying to monitor files on a Linux server is when you’re trying to access files your Splunk user is not allowed to read, such as root-owned files.
Splunk monitor file code#
I am not sure if I need to make any other changes in some other file or the code written by me is wrong for it. However, when I try to check for the events in Splunk, I don't get any event uploaded there in last 24 hours. Change the nf at C:\Program Files\Splunk\etc\system\local as following: Create C:\SaeXXXLog Folder and put the Creator_29_05.csv and Receiver_29_05.csv at this location (only 2 files).Ģ. I am using Splunk Enterprise 7 local instance and want to upload 2 CSV files with same index but different sourcetype to splunk daily.ġ. I recently read about the splunk file monitoring with nf at.
0 kommentar(er)
