Deployment Architecture

Access to directories

mdzmuran
Observer

I have a directory accessible through UNC path. As a normal domain user, I have read access to that directory and I can see it in File Explorer. But if I put the UNC path in the File or Directory field form new data input, it accepts the input, but it shows that there are no files in the directory.
My idea is that because the local system user running the Splunk server does not have access to that directory, it cannot read the contents, but am not sure.

Any idea how to fix it?
Thanks
Michal Dzmuran

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

This is not 'technically' a Splunk problem, but I would suggest your diagnosis is correct.

The 'best' solution is to install a UF on the server providing the UNC share (if that's in any way possible) however, if this is a NAS appliance or some other share which can't run a Splunk Forwarder, your options are probably limited to:

a.) Run Splunk as a user to whom you can grant permissions. (You may want to install an HF for this, rather than using indexers to perform such collection)
b.) relax the perms on the share to allow the system user (local unauthenticated)
c.) script something to retrieve the files as an authenticated user and write them to a temp location.

All three of the above a fraught with complexity (of varying levels and security misgivings)

Whilst you may not be in full control of your own destiny, I suggest having a look at the following thread which lists the large number of problems windows presents to Splunk. Your's is one such example:
https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

This is not 'technically' a Splunk problem, but I would suggest your diagnosis is correct.

The 'best' solution is to install a UF on the server providing the UNC share (if that's in any way possible) however, if this is a NAS appliance or some other share which can't run a Splunk Forwarder, your options are probably limited to:

a.) Run Splunk as a user to whom you can grant permissions. (You may want to install an HF for this, rather than using indexers to perform such collection)
b.) relax the perms on the share to allow the system user (local unauthenticated)
c.) script something to retrieve the files as an authenticated user and write them to a temp location.

All three of the above a fraught with complexity (of varying levels and security misgivings)

Whilst you may not be in full control of your own destiny, I suggest having a look at the following thread which lists the large number of problems windows presents to Splunk. Your's is one such example:
https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

mdzmuran
Observer

UF was the first option, but the old AIX version is not supported by Splunk. Thanks for the ideas, however.

0 Karma