This really isn't a "Splunk" question so much as it is a Unix file systems permission one. Splunk is just any other process, required to follow the permission model as defined by the operation system. You have some options:
Run Splunk as root (you've already said this is undesirable)
Hack up a scripted input that can run setuid (also undesirable IMHO)
See if Solaris will let you apply a POSIX ACL to the /var/log/authlog file, explicitly granting read privs to user splunk . The big trick here is whether it will be maintained over rotations and so on.
... View more