Getting Data In

3 credentials on one Splunk

splunk13
Explorer

Hi Splunk community !

I have an interesting question, in my network, I have workgroup PCs, DMZ PCs and domain PCs, so Splunk need 3 credentials.
How can I do that ? I really don't want install a local account in all my PCs.

I've seen that we can install Splunk forwarders. It's possible to install one normal Splunk and 2 Splunk forwarders in the same PC ?

I have no idea how I can do that.

Anyone can help me ?

Thanks you very much for your help.

Regards,
A happy Splunk user.

0 Karma
1 Solution

krusty
Contributor

I found the problem.

You have to ad the following registry key manually with regedit:

create this folder:

\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Splunkweb2\PythonClass
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Splunkweb2\PythonClass

create this value into both folder:

Name: (Default) {it depends of the install language. for me it calls (Standard)}
Typ: REG_SZ
Value: C:\Programme\Splunk2\bin\SplunkWebService.SplunkwebPythonService

After this modification I can connect to both Splunkweb instances.

http://localhost:8000 -> Splunk1
http://localhost:9000 -> Splunk2

Hope that helps you.

Kind regards,
krusty

View solution in original post

0 Karma

splunk13
Explorer

Thank you very much Krusty !
All is working with you !

You are a good man,
Regards.

0 Karma

krusty
Contributor

I found the problem.

You have to ad the following registry key manually with regedit:

create this folder:

\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Splunkweb2\PythonClass
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Splunkweb2\PythonClass

create this value into both folder:

Name: (Default) {it depends of the install language. for me it calls (Standard)}
Typ: REG_SZ
Value: C:\Programme\Splunk2\bin\SplunkWebService.SplunkwebPythonService

After this modification I can connect to both Splunkweb instances.

http://localhost:8000 -> Splunk1
http://localhost:9000 -> Splunk2

Hope that helps you.

Kind regards,
krusty

0 Karma

krusty
Contributor

Hi splunk13,

I have also problems with splunkweb for the second instance.
I see with the eventvwr that splunkweb2 generates two errors. But I can not locate where they are from.
Have you also the two events (244 and 128)?

I try some searches in the internet but couldn't find anything about the events.

Event 1:
Eventid: 244
Source: Python Service
Description: Could not find the service's PythonClass entry in the registry Error 1814

Event 2:
Eventid: 128
Source: Python Service
Description: Could not locate the module name in the Python class string (ie,no '.')

Does anybody had some errors like me?

Kind regards,

0 Karma

splunk13
Explorer

Hi, thank you for the link.

I test to do that, but I have a problem how to install a second service of splunkweb. (For splunkd it's ok)

Regards,

0 Karma

paul_1994
Path Finder

Hmm it seems you learn something everyday. I was not aware you could run multiple instances on a windows server. But I would take heed to the warning that this is not a supported configuration.

Have you changed the web port on the second instance?

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Changedefaultvalues

Example:

splunk set web-port 9000

splunk set splunkd-port 9089

The article above may be able to help ya

0 Karma

krusty
Contributor

Hi splunk13,

maybe i find something for you.
Please see the link below.
http://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

I try to install two services on a windows server and until now it seems to work fine.
Until now I have the problem to install the second splunkweb service but i hope to get it running soon.

Regards,
krusty

paul_1994
Path Finder

I would ask the same question why do you need splunk running under a service account and not the local system? Are you doing some type of remote collection?

I have this same issues but this is when I need to access a cifs share and I need to provide access rights. so I run the splunk forwarder under a domain account.

0 Karma

splunk13
Explorer

Hi Krusty,

Can you please tell me if it works for you ? And if yes, could you please write me how you do that ?

Regards and Thanks !

0 Karma

krusty
Contributor

Hi,

I have the same problem.
Usually all windows servers are domain servers, so I have no problem with a function domain user which runs the splunk services.
Now I've to collect the events from windows servers which are not in our domain.

What I try to do is to create a second splunk instance on the splunk forwarder which runs with a local account. This account is also available at the server were i want to collect the data from. I hope that this works for me.

Has anyone solved a problem like this in the past?

Thanks.

Sorry for my bad english but i hope you understand what the problem is.

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

splunk13,

I'm not sure if I'm following you, but yes, you can set up multiple instances of Splunk on the same server. Just install them in different directories and set them up to use different ports.

Why would you need to do this though? I understand that you have servers that are in different domains/workgroups, but I don't see why this matters. Splunk (by default) will run as the system user on Windows machines, so you don't need to create a local account on every PC.

HTH

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...