All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Types of Accounts - While Installing Splunk Enterprise

Srini1207
Engager
‎02-14-2023 01:00 AM

Hi Team,

I'm a newbie to Splunk. I tried to install the Splunk Enterprise in my server and then it asked for the account type - Local, Domain and Virtual. I couldn't understand when to use which type of account. Can anyone clearly explain what the account types are, when it is used and under which conditions?

Thanks

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 01:24 AM

Hi @Srini1207,

I suppose you're installing Splunk on Windows.

You need an account with administration role, the best thing is a local system, or another minor role.

Ciao.

Giuseppe

0 Karma
Reply

Srini1207
Engager
‎02-14-2023 01:28 AM

Thanks for your reply @gcusello  and your guess is right, we are trying to install it in the Windows

But I trying to figure it which type of account we need to use under which circumstances. For example,

Using Local system will get logs from local machine only. But if we use Domain account, we can remote machine logs where the forwarders are not installed (my understanding) and Virtual account, I had no idea on it. Can you explain this?

Thanks

Srini

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 01:33 AM

Hi @Srini1207,

I never used virtual accounts so I don't know what is!

Anyway, yes you need a domain account if you have to use WMI and you cannot do it using Local account.

I use WMI whan I cannot use other solutions, just for this reason: I don't like to use a Domain admin account to install and use Splunk; then Forwarders are more efficient, secure and performant, so think again to the opportunity to use Universal Forwarders instead WMI.

Ciao.

Giuseppe

Reply

Srini1207
Engager
‎02-14-2023 01:40 AM

Thanks for your reply @gcusello . Which account can be used as local system account?

Also, I would like to know on how to collect the powershell logs, browser logs (chrome, edge and firefox) and all the applications that are running in it and files changes logs using the universal forwarder that are installed on all machines using local system account.  I got some answer for powershell like this - 

#Monitor PowerShell Windows Event Logs
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
renderXml = 1
index = yourindex
sourcetype = WinEventLog:Powershell

What about others?

 

Thanks,

Srini

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 01:49 AM

Hi @Srini1207,

as I said, I use on my pc local admin,

but I have windows installations only for test or labs, never for production systems, especially for large infrastructures, so I haven't so many use cases on Windows.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top