This may be more of a Windows UAC question than a splunk question, but I'm guessing that others are going to be running into this too. (I don't have a lot of Win2k8 experience, so please forgive me if I'm missing something obvious.)
Whenever I try to run a "splunk" command from a Command Prompt on my Win2k8R2 box, I get prompted with a "User Account Control" dialog box:
Do you want to allow the following program to make changes to this computer?
Program name: splunk.exe
Verified publisher: Splunk Inc
File origin: Hard drive on this computer Program location: "C:\Program Files\Splunk\bin\splunk.exe" test sourcetype H:\ArchivedLogs\log_archive.log
If I say "Yes" and allow the program to run, then splunk is run in a new Command Prompt window that flashes open, and for a split second I can see some text, but then it closes down before I can read anything.
I've also tried using the
runas utility, but then I get the message:
RUNAS ERROR: Unable to run - splunk test sourcetype H:\ArchivedLogs\log_archive.log
740: The requested operation requires elevation.
If you are just running
splunk start or something like that, then this doesn't matter too much, but there are plenty of command that have output that I need to be able to see. (Such as "
splunk test sourcetype <file>", or even a simple "
Any help would be appreciated.
I have a couple Win2k8R2 servers setup with splunk and I've run into this issue on all of them so far. (I've tried this with various Splunk 4.1.x versions). All of these installs have splunk running as the default local SYSTEM user.
I've tried a few different
runas commands with no luck (but I could be missing something). Any attempts to redirect the standard output hasn't worked either.
When opening the command prompt, run it as Administrator. I tested this and it seems to get rid of the "Do you want to allow the following program to make changes to this computer?" box and separate cmd window.
Yeah, that does get rid of the UAC stuff, but I'm being told that a new version of Splunk was installed and the upgrade process needs to be run. Unfortunately it crashes during the migration.
The migration crash seems to be related to yet another permissions issue. (I'm guessing Administrator vs SYSTEM?) But whatever, I think this is the right answer. Although, I still don't understand why this works as the "Administrator" user, but not for a user who is in the Administrator group.
UAC is not dependent on the system groups. Essentially nothing is ran as Administrator unless you specifically tell it to.