I am running Splunk enterprise 6.3.1 and universal forwarder. We deploy the universal forwarder onto a Linux machine it runs under the account of Splunk.
Splunk is started with the account Splunk and that has the following
uid=880(splunk) gid=880(splunk) groups=880(splunk),600(dba),1201(buildgrp)
But it appears that it can not see directories or files owned by the dba group ie
drwxr-x--- 8 oracle dba 4096 Jan 24 22:15 par-01
drwxr-xr-x 3 oracle dba 4096 Jan 24 21:15 par-02
drwxr-xr-x 3 oracle dba 4096 Jan 24 21:15 par-03
drwxr-xr-x 3 oracle dba 4096 Jan 24 21:15 par-04
it can see par-02 to par-04 but not par-01
↧