All Apps and Add-ons

Are there permissions for splunk user on universal forwarder for Windows?

akyz
Explorer
We're deploying the Windows Universal Forwarder add-on to our environment and are using a gMSA. We have configured the basic permissions outlined here Choose the Windows user Splunk Enterprise should run as - Splunk Documentation. While we are now getting event log data ingested into Splunk Enterprise we do not see all the event log data. I believe we're missing Security. Is there any extra security permissions we're missing?
 
 
Labels (3)
0 Karma
1 Solution

akyz
Explorer

Thanks for your inputs and replies. I was able to figure it out by granting the gMSA that we have running the Universal Forwarder service read/write permissions to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

Once that was done all the security logs were flowing into our indexer.

Thank you.

View solution in original post

0 Karma

akyz
Explorer

Yes the data inputs are defined and all event logs are selected. 

Yeah I See the local event log readers group going to try that out. Does Splunk have any sort of documentation explaining all the permissions that are needed to properly ingest the data?

0 Karma

PickleRick
Ultra Champion

The article you cited gives a pretty good description of permissions and privileges needed for UF to run. But the permissions to specific event logs is another cup of tea... It's more of a "windows knowledge" than splunk knowledge. I remember having spent whole day until I found the logreaders group (but I was pulling logs with WMI).

0 Karma

PickleRick
Ultra Champion

Stupid question - do you have an input defined for the Security eventlog?

But if you do (that was just a quick check to see if you hadn't forgotten it) did you add your splunk user to the ACL on the Security eventlog? It's very ugly and it's done in the Registry by means of SDDL. So it's often way easier to just add your splunk user to local Eventlog Readers group (or something similarily named).

0 Karma

akyz
Explorer

Thanks for your inputs and replies. I was able to figure it out by granting the gMSA that we have running the Universal Forwarder service read/write permissions to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

Once that was done all the security logs were flowing into our indexer.

Thank you.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...