topic Re: Universal Forwarder on Windows - Administrator Credential in Splunk Enterprise

What is the purpose of Universal Forwarder on Windows - Administrator Credential?

shocko — Thu, 10 Feb 2022 16:52:42 GMT

I'm running Splunk Enterprise 8.2.4. When deploying the Universal Forwarder for Windows (version 8.2.4) and selecting to run it under the Local System account it subsequently asks me for the 'create credentials for the administrator account' as per attached. What is the purpose of this ?

Re: Universal Forwarder on Windows - Administrator Credential

isoutamo — Thu, 10 Feb 2022 16:54:09 GMT

That is for Splunk’s internal admin user. Normally it’s not used in UF, but time by time there could be some situations when those are useful.
r. Ismo

Re: What is the purpose of Universal Forwarder on Windows - Administrator Credential?

PickleRick — Thu, 10 Feb 2022 17:07:53 GMT

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

Re: What is the purpose of Universal Forwarder on Windows - Administrator Credential?

shocko — Thu, 10 Feb 2022 18:28:44 GMT

OK but I have run the btool command from the UF (for example) on Windows and have never been prompted for this credential. That said, I'm always logging into my Windows Server System as an OS admin user.

I MUST specify it using the UI installer though. I can understand that you might use this as follows:

You have a script that has standard non-elevated OS user rights on Windows and hence cannot access the underlying conf files
You want this script to configure the UF
The Splunk forwarder credential used during setup can be assigned to the script for this usage

I will test this hypothesis.

Re: What is the purpose of Universal Forwarder on Windows - Administrator Credential?

PickleRick — Thu, 10 Feb 2022 22:46:48 GMT

Ok, maybe btool doesn't require it (I don't usually run it on UFs so I might nit remember exactly but listing input status needed authenticating for sure)

Re: What is the purpose of Universal Forwarder on Windows - Administrator Credential?

shocko — Tue, 15 Feb 2022 20:41:07 GMT

The following command will ask for the admin password on windows UF:

splunk monitor list

As such, I agree that the admin password appears to be required for Splunk based auth to run certain commands. Makes a lot of sense actually as separates the software to a degree form the OS auth model.