What is the most secure way to allow a user read access to a log file

January 5, 2022 at 1:23 pm Leave a comment

I am running Splunk Enterprise on a Linux Server in our environment. Our Security Standards , prevents the Splunk from running under root User. In this scenario , we will come across a situation , where we will not be able to read the critical Linux logs like audit , messages , secure etc.

There are several methods to achieve this , But in this post I am using the ACL method.

First , you need to set the acl’s on these files located in the /var/log folder. My Splunk is running under the user splunkadmin

# setfacl -m g:splunkadmin:r /var/log/messages
# setfacl -m g:splunkadmin:r /var/log/secure
# setfacl -m g:splunkadmin:r /var/log/maillog

The above changes will not retain , when the logs are rotated. Thus you need to create postrotate action for these logs to retain the ACL's.

1) Create a text file in the folder /etc/logrotate.d/Splunk_ACLs ( My file name is SplunkACLs).
2)  Add the below entries in the file 
        /usr/bin/setfacl -m g:splunk:r/var/log/maillog
        /usr/bin/setfacl -m g:splunk:r /var/log/messages
        /usr/bin/setfacl -m g:splunk:r /var/log/secure

You can verify the ACLS using
#getfacl /var/log/messages

On the other hand , The steps for audit files are different .

Check the current permissions
#ls -l /var/log/audit/audit.log
-rw——- 1 root root 3531590 Jun 1 00:20 /var/log/audit/audit.log

Then edit the auditd.conf file and change the log_group parameter to splunkadmin instead of root.
log_group = splunkadmin

Restart the auditd services
#service auditd restart

You can re-verify the permissions
#ls -l /var/log/audit/audit.log
-rw-r—– 1 root splunkadmin 3532862 Jun 1 00:24 /var/log/audit/audit.log




Entry filed under: Linux. Tags: , , , , , .

Datastore conflicts with an existing datastore in the datacenter that has the same URL” error in vCenter Server How To Find My Public IP Address From Command Line On a Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trackback this post  |  Subscribe to the comments via RSS Feed



Follow Hope you like it.. on WordPress.com

Blog Stats

  • 53,974 hits

%d bloggers like this: