Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Access to directories
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a directory accessible through UNC path. As a normal domain user, I have read access to that directory and I can see it in File Explorer. But if I put the UNC path in the File or Directory field form new data input, it accepts the input, but it shows that there are no files in the directory.
My idea is that because the local system user running the Splunk server does not have access to that directory, it cannot read the contents, but am not sure.
Any idea how to fix it?
Thanks
Michal Dzmuran
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not 'technically' a Splunk problem, but I would suggest your diagnosis is correct.
The 'best' solution is to install a UF on the server providing the UNC share (if that's in any way possible) however, if this is a NAS appliance or some other share which can't run a Splunk Forwarder, your options are probably limited to:
a.) Run Splunk as a user to whom you can grant permissions. (You may want to install an HF for this, rather than using indexers to perform such collection)
b.) relax the perms on the share to allow the system user (local unauthenticated)
c.) script something to retrieve the files as an authenticated user and write them to a temp location.
All three of the above a fraught with complexity (of varying levels and security misgivings)
Whilst you may not be in full control of your own destiny, I suggest having a look at the following thread which lists the large number of problems windows presents to Splunk. Your's is one such example:
https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not 'technically' a Splunk problem, but I would suggest your diagnosis is correct.
The 'best' solution is to install a UF on the server providing the UNC share (if that's in any way possible) however, if this is a NAS appliance or some other share which can't run a Splunk Forwarder, your options are probably limited to:
a.) Run Splunk as a user to whom you can grant permissions. (You may want to install an HF for this, rather than using indexers to perform such collection)
b.) relax the perms on the share to allow the system user (local unauthenticated)
c.) script something to retrieve the files as an authenticated user and write them to a temp location.
All three of the above a fraught with complexity (of varying levels and security misgivings)
Whilst you may not be in full control of your own destiny, I suggest having a look at the following thread which lists the large number of problems windows presents to Splunk. Your's is one such example:
https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UF was the first option, but the old AIX version is not supported by Splunk. Thanks for the ideas, however.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
