Getting Data In

Can't determine universal forwarder service account

Path Finder


I've inherited a poorly documented splunk deployment that seems to have been misconfigured. the universal forwarder service isnt starting on workstations due to a logon issue. Either the password is wrong or the account it is configured with is wrong.

Is there a way to determine what account is the correct account/which account the deployment server is expecting the UF to use?

Many thanks in advance.

Labels (1)
0 Karma

New Member

Please check the owner of the file deploymentclient.conf which was essentially used to poll the server.
Please let me know what you found.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...