Solved: Capture the account/user under which splunk servic...

somesoni2 · ‎04-23-2014

Is there any way to find out which user/service account is running the splunk services on linux?

I am looking to collect this information from all the forwarders (deployed on servers owned by different teams) to ensure correct service accounts are used to start/restart splunk service.

I did go through the Splunk's internal logs on _internal and _audit index but couldn't find the user reference during a service(splunkd) restart. Any pointer to a linux command/shell script/splunk logs should be helpful.

linu1988 · ‎04-23-2014

If you are using Nix app, is it not showing you all the running process details? The user column should show you under which user the splunk forwarder runs.

ps -af|grep "splunkforwarder"

Thanks

View solution in original post

linu1988 · ‎04-23-2014

If you are using Nix app, is it not showing you all the running process details? The user column should show you under which user the splunk forwarder runs.

ps -af|grep "splunkforwarder"

Thanks

somesoni2 · ‎04-29-2014

We don't run Nix app as its little bit heavy app generating lot of data which we don't need. We use parts of it. Based on your suggestion on ps command, I wrote following command to get required information for Splunk related processes.

ps -C java -o euser,f,comm,args,pid |grep splunk

Thanks

martin_mueller · ‎04-23-2014

I think you'll want -A rather than -a, in case the splunkd process doesn't have a tty associated with it.

Capture the account/user under which splunk services are running on linux

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases