I was troubleshooting a weird issue in a Splunk Universal Forwarder installed on a Windows 2012R2 Print Server. I was getting the print logs but not the Application/System/Security logs. I looked at the inputs.conf for both and they were correct. I checked to see if the print server was sending data and if the indexers were receiving data and they were. I didn't see any errors in splunkd.log on the print server nor any errors in the _internal log in my Splunk index cluster. Splunk is running as local system and as I said, seems to have no problem reading the print logs
Then I started going through all the logs on the UF var/log directory and found btool.log had the following after the most recent restart:
ConfPathMapper - Failed to open: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf: Access is denied.
Well, I thought that should be simple, except I didn't know the simple answer. In *nix, the entire Splunk directory, subdirectory, and files need to owned by the user Splunk. If there is an equivalent error, I just run chown -R splunk.splunk /opt/splunk/ and everything is (usually) fixed.
But Windows doesn't have the equivalent of a Splunk user. Usually installing as local admin or domain admin takes care of setting all the correct permissions. But now that I have to fix the permissions on a single file/folder, what are the permissions that should be set on the whole Splunk directory structure? Googling hasn't yet found the answer. Closest I've found is this:
https://answers.splunk.com/answering/8980/view.html
and this:
https://answers.splunk.com/answering/9545/view.html
I checked the security (right click, properties, security) on that exact file and the only account that had access to that file was the domain admin account I used to install/admin the server. I checked the security of the other files and found that SYSTEM and the local admin group were also listed and both had Full Control of that file. So I added those to this file and restarted splunk and boom! logs started flowing.
Not sure how access permissions got messed up. But that seems to have fixed it..
I checked the security (right click, properties, security) on that exact file and the only account that had access to that file was the domain admin account I used to install/admin the server. I checked the security of the other files and found that SYSTEM and the local admin group were also listed and both had Full Control of that file. So I added those to this file and restarted splunk and boom! logs started flowing.
Not sure how access permissions got messed up. But that seems to have fixed it..