All Apps and Add-ons

Local System account or domain user account

New Member

Setting up Splunk for the first time, was wondering if I could get some advice. I have to install it as a local system account or domain user. What is the most common method used by administrators? My infrastructure is as follows;

Four physical host for vmware infrastructure, each host has 256 GB RAM and 16 cores, so hosts are hardly being taxed,50-55 virtual servers, Compellent SAN with 15k drives at tier 1, and 7200k drives at tier 3, Cisco ASA5525-X

I will be the only one looking at the logs and running any reports, so just one user. We have the lowest Splunk license of 500mb.

My initial thought was to install as a local system account, then put the universal forwarder on my servers to send logs to the splunk server? This is the first time I have set up any type of syslog server, and would appreciate some insight to get me started down the right path, thanks.

0 Karma

New Member

Just want to add one more point, If you want to monitor any network shared folder with UNC path then install as a Domain User Acount.

0 Karma


You don't need to be confused. Are you suggesting about the parameter where you install the forwarder/instance?

We would require admin permission while installing splunk for sure. If you provide any domain user name to run your services then you need to provide the user/password. Your Splunkd and splunkweb will run under that. This case is required if you have any remotely accessed log/files that exists in some other server. The account should have access through out the landscape.

If you will monitor in the same machine as well the account should have access to all the resources. If the local account has all the right permission then it can also be used.


0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: CFP Site: CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...