Running Splunkd as a gMSA

davidjohnbecket — Tue, 29 Sep 2020 20:13:45 GMT

Has anyone had success with running the Splunkd service on a HeavyForwarder using a gMSA (Group Managed Service account)?

I am using the gMSA account on the HeavyForwarder already for other services and this is working, but when i try run the Splunkd service as a gMSA i get various issues.

The gMSA is also in the local Administrator group.

The service starts but there are permission issues... Mongo fails to start, KVStore issues etc...

splunkd.log

06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\disk_objects.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\http_event_collector_metrics.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\kvstore.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\resource_usage.log": Access is denied.

06-29-2018 10:08:22.999 +0100 ERROR KVStoreConfigurationProvider - Could not get ping from mongod.
06-29-2018 10:08:22.999 +0100 ERROR KVStoreConfigurationProvider - Could not start mongo instance. Initialization failed.
06-29-2018 10:08:22.999 +0100 ERROR KVStoreBulletinBoardManager - Failed to start KV Store process. See mongod.log and splunkd.log for details.

mongod.log

2018-06-29T09:08:12.347Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, disabledProtocols: "noTLS1_0,noTLS1_1", mode: "requireSSL", sslCipherConfig: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RS..." } }, replication: { oplogSizeMB: 200, replSet: "E98BF268-F1CB-4CF1-945B" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }

2018-06-29T09:08:12.348Z I STORAGE [initandlisten] exception in initAndListen: 98 Unable to create/open lock file: C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\mongod.lock errno:5 Access is denied.. Is a mongod instance already running?, terminating

What permissions are necessary for a gMSA?

This page talks about service accounts but not specifically about gMSA's

Any help would be appreciated.

topic Running Splunkd as a gMSA in Monitoring Splunk

Running Splunkd as a gMSA