Getting Data In

Can you help me with a permissions issue for Windows directories?

reswob4
Builder

I was troubleshooting a weird issue in a Splunk Universal Forwarder installed on a Windows 2012R2 Print Server. I was getting the print logs but not the Application/System/Security logs. I looked at the inputs.conf for both and they were correct. I checked to see if the print server was sending data and if the indexers were receiving data and they were. I didn't see any errors in splunkd.log on the print server nor any errors in the _internal log in my Splunk index cluster. Splunk is running as local system and as I said, seems to have no problem reading the print logs

Then I started going through all the logs on the UF var/log directory and found btool.log had the following after the most recent restart:

ConfPathMapper - Failed to open: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf: Access is denied.

Well, I thought that should be simple, except I didn't know the simple answer. In *nix, the entire Splunk directory, subdirectory, and files need to owned by the user Splunk. If there is an equivalent error, I just run chown -R splunk.splunk /opt/splunk/ and everything is (usually) fixed.

But Windows doesn't have the equivalent of a Splunk user. Usually installing as local admin or domain admin takes care of setting all the correct permissions. But now that I have to fix the permissions on a single file/folder, what are the permissions that should be set on the whole Splunk directory structure? Googling hasn't yet found the answer. Closest I've found is this:

https://answers.splunk.com/answering/8980/view.html
and this:
https://answers.splunk.com/answering/9545/view.html

0 Karma
1 Solution

reswob4
Builder

I checked the security (right click, properties, security) on that exact file and the only account that had access to that file was the domain admin account I used to install/admin the server. I checked the security of the other files and found that SYSTEM and the local admin group were also listed and both had Full Control of that file. So I added those to this file and restarted splunk and boom! logs started flowing.

Not sure how access permissions got messed up. But that seems to have fixed it..

View solution in original post

0 Karma

reswob4
Builder

I checked the security (right click, properties, security) on that exact file and the only account that had access to that file was the domain admin account I used to install/admin the server. I checked the security of the other files and found that SYSTEM and the local admin group were also listed and both had Full Control of that file. So I added those to this file and restarted splunk and boom! logs started flowing.

Not sure how access permissions got messed up. But that seems to have fixed it..

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...