Setting up Splunk for the first time, was wondering if I could get some advice. I have to install it as a local system account or domain user. What is the most common method used by administrators? My infrastructure is as follows;
Four physical host for vmware infrastructure, each host has 256 GB RAM and 16 cores, so hosts are hardly being taxed,50-55 virtual servers, Compellent SAN with 15k drives at tier 1, and 7200k drives at tier 3, Cisco ASA5525-X
I will be the only one looking at the logs and running any reports, so just one user. We have the lowest Splunk license of 500mb.
My initial thought was to install as a local system account, then put the universal forwarder on my servers to send logs to the splunk server? This is the first time I have set up any type of syslog server, and would appreciate some insight to get me started down the right path, thanks.
You don't need to be confused. Are you suggesting about the parameter where you install the forwarder/instance?
We would require admin permission while installing splunk for sure. If you provide any domain user name to run your services then you need to provide the user/password. Your Splunkd and splunkweb will run under that. This case is required if you have any remotely accessed log/files that exists in some other server. The account should have access through out the landscape.
If you will monitor in the same machine as well the account should have access to all the resources. If the local account has all the right permission then it can also be used.