Accessing restricted Windows share

timrich66 · ‎11-10-2021

Hello all,

I'm not sure what I have been asked to do is achievable. I'm hoping that someone can advise.

We have a Windows 2003 server that cannot have a UF installed as it is not compatible with our current environment (8.1.6). Anyway, that aside, I have managed to ingest data using 'open' shares from a UF on a Windows 2016 server to the 2003 server.

I now have a request to ingest data from a restricted share on the 2003 server. I have tried setting up a share from the 2016 server to the 2003 server, but this does not work. I guess because the UF is not using the same account as the share has been set up under?

Can anyone tell me how I can create a share for the Splunk UF to use?

Thanks

PickleRick · ‎11-18-2021

In general, there is no problem with installing Splunk UF on one server, let's call it Server1 and read files from a share from another server (Server2).

You simply create monitor inputs and read files from a given UNC path like \\Server2\share\path\filename.log

There is one caveat though. Splunk UF on Server1 has to have access to the share of course. With your typical AD-based infrastructure you'd set up the UF to run with a managed service account (not Local System, as it is installed by default) and grant this account access to the \\Server2\share

timrich66 · ‎11-18-2021

Thanks @PickleRick , I will talk with our infra team and admins to get the UF set up to use an AD account.

I'll reply to let you know the result.

timrich66 · ‎11-18-2021

Hi clever people,

Does anyone have any suggestions?

Thanks

Accessing restricted Windows share

inputs.conf

Linux

universal forwarder

Windows

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update