We have SOS and the Windows Infrastructure apps installed. Just curious if the scripts are executed by the Splunk Search server remotely on the target systems, or by the UF on the target systems? Either way, does the account the Splunk service is started with require interactive logon rights to execute scripts?
So, I'm going to assume you are talking about scripted inputs (as opposed to custom search commands, for example).
As far as S.o.S is concerned, these scripted inputs (and on Windows there is only one, really: ps_sos.ps1
) runs locally and collects resource usage information about Splunk processes running on the local machine only.
If you want to benefit from the same level of information from forwarders or from your indexers, you'll need to install the S.o.S add-on for Windows there.
With that in consideration, interactive logon permissions are not in scope of course, but the execution of unsigned Powershell scripts is.
For more information on all of this, please consult the S.o.S User Manual.
So, I'm going to assume you are talking about scripted inputs (as opposed to custom search commands, for example).
As far as S.o.S is concerned, these scripted inputs (and on Windows there is only one, really: ps_sos.ps1
) runs locally and collects resource usage information about Splunk processes running on the local machine only.
If you want to benefit from the same level of information from forwarders or from your indexers, you'll need to install the S.o.S add-on for Windows there.
With that in consideration, interactive logon permissions are not in scope of course, but the execution of unsigned Powershell scripts is.
For more information on all of this, please consult the S.o.S User Manual.