<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249110#M47953</link>
    <description>&lt;P&gt;Hi All,&lt;/P&gt;

&lt;P&gt;I need to install a Universal forwarder in our environment, but due to strict policies, we cannot give the user it runs with administrative rights.&lt;/P&gt;

&lt;P&gt;Could you please give me a list of minimum access that can be granted to the user to run Universal Forwarders? We only need to forward security logs from the devices. Also, what are the features that will be disabled in Low Privileged mode?&lt;/P&gt;

&lt;P&gt;I have installed 6.3.2.&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Akshat &lt;/P&gt;</description>
    <pubDate>Wed, 27 Jan 2016 13:06:59 GMT</pubDate>
    <dc:creator>akshatj2</dc:creator>
    <dc:date>2016-01-27T13:06:59Z</dc:date>
    <item>
      <title>How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249110#M47953</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;

&lt;P&gt;I need to install a Universal forwarder in our environment, but due to strict policies, we cannot give the user it runs with administrative rights.&lt;/P&gt;

&lt;P&gt;Could you please give me a list of minimum access that can be granted to the user to run Universal Forwarders? We only need to forward security logs from the devices. Also, what are the features that will be disabled in Low Privileged mode?&lt;/P&gt;

&lt;P&gt;I have installed 6.3.2.&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Akshat &lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 13:06:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249110#M47953</guid>
      <dc:creator>akshatj2</dc:creator>
      <dc:date>2016-01-27T13:06:59Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249111#M47954</link>
      <description>&lt;P&gt;*nix or Microsoft?&lt;/P&gt;

&lt;P&gt;The user you install it as would need (read) access to logs that you wish to collect and forward to your indexer(s). Providing that user access depends on the files you wish to forward the content from and the OS you're running the forwarder upon.&lt;/P&gt;

&lt;P&gt;The docs page below is for running Splunk (universal forwarder and heavy forwarder included) as a non-root user on *nix.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/installation/RunSplunkasadifferentornon-rootuser"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.2/installation/RunSplunkasadifferentornon-rootuser&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Info on user selection in a Windows environment (local or domain) is located in the docs at:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/Installation/ChoosetheuserSplunkshouldrunas"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.2/Installation/ChoosetheuserSplunkshouldrunas&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 17:49:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249111#M47954</guid>
      <dc:creator>pgreer_splunk</dc:creator>
      <dc:date>2016-01-27T17:49:59Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249112#M47955</link>
      <description>&lt;P&gt;In addition to that, we see it quite frequently the the UF cannot run as a system or priv account (especially *Nix worlds..) So Ill focus on the Linux side&lt;/P&gt;

&lt;P&gt;Typically those security logs you are talking about  live in /var/log/* and permissions on this directory tree are restricted usually to root / wheel and priv account. This means if you install the UF and run as a non-root user, you wont be able to read these files for ingest.&lt;/P&gt;

&lt;P&gt;There are a few options, most commonly the Splunk user will be added into a group that is granted permissions to read those log files. This   takes a bit more on time on the sys admin side, but usually conforms to most security policies.&lt;/P&gt;

&lt;P&gt;Outside of that, you would nee to go through the modular inputs in the NIX TA. A few of these require super user / root priv to run. So if you enable them without running as root, or again modifying the Splunk user to be able to execute these, then you wont get any results. &lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 18:23:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249112#M47955</guid>
      <dc:creator>esix_splunk</dc:creator>
      <dc:date>2016-01-27T18:23:37Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249113#M47956</link>
      <description>&lt;P&gt;Installation is on windows servers not linux.&lt;/P&gt;

&lt;P&gt;Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 18:34:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249113#M47956</guid>
      <dc:creator>akshatj2</dc:creator>
      <dc:date>2016-01-27T18:34:01Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249114#M47957</link>
      <description>&lt;P&gt;Installation is on windows servers not linux.&lt;/P&gt;

&lt;P&gt;Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 18:34:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249114#M47957</guid>
      <dc:creator>akshatj2</dc:creator>
      <dc:date>2016-01-27T18:34:11Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249115#M47958</link>
      <description>&lt;P&gt;Installation is on windows devices&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 18:34:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249115#M47958</guid>
      <dc:creator>akshatj2</dc:creator>
      <dc:date>2016-01-27T18:34:31Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249116#M47959</link>
      <description>&lt;P&gt;If you are not collecting  WMI or Eventlogs off the Windows box, only reading log files off disk, then make sure that the user has read permissions to the directory tree and the files. That should be sufficient.&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jan 2016 18:40:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-Non-Administrative-User-Account-to-run-universal/m-p/249116#M47959</guid>
      <dc:creator>esix_splunk</dc:creator>
      <dc:date>2016-01-27T18:40:14Z</dc:date>
    </item>
  </channel>
</rss>

