Getting Data In

How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?

akshatj2
Path Finder

Hi All,

I need to install a Universal forwarder in our environment, but due to strict policies, we cannot give the user it runs with administrative rights.

Could you please give me a list of minimum access that can be granted to the user to run Universal Forwarders? We only need to forward security logs from the devices. Also, what are the features that will be disabled in Low Privileged mode?

I have installed 6.3.2.

Regards,
Akshat

0 Karma

akshatj2
Path Finder

Installation is on windows devices

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

In addition to that, we see it quite frequently the the UF cannot run as a system or priv account (especially *Nix worlds..) So Ill focus on the Linux side

Typically those security logs you are talking about live in /var/log/* and permissions on this directory tree are restricted usually to root / wheel and priv account. This means if you install the UF and run as a non-root user, you wont be able to read these files for ingest.

There are a few options, most commonly the Splunk user will be added into a group that is granted permissions to read those log files. This takes a bit more on time on the sys admin side, but usually conforms to most security policies.

Outside of that, you would nee to go through the modular inputs in the NIX TA. A few of these require super user / root priv to run. So if you enable them without running as root, or again modifying the Splunk user to be able to execute these, then you wont get any results.

0 Karma

akshatj2
Path Finder

Installation is on windows servers not linux.

Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?

pgreer_splunk
Splunk Employee
Splunk Employee

*nix or Microsoft?

The user you install it as would need (read) access to logs that you wish to collect and forward to your indexer(s). Providing that user access depends on the files you wish to forward the content from and the OS you're running the forwarder upon.

The docs page below is for running Splunk (universal forwarder and heavy forwarder included) as a non-root user on *nix.

http://docs.splunk.com/Documentation/Splunk/6.0.2/installation/RunSplunkasadifferentornon-rootuser

Info on user selection in a Windows environment (local or domain) is located in the docs at:

http://docs.splunk.com/Documentation/Splunk/6.0.2/Installation/ChoosetheuserSplunkshouldrunas

akshatj2
Path Finder

Installation is on windows servers not linux.

Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If you are not collecting WMI or Eventlogs off the Windows box, only reading log files off disk, then make sure that the user has read permissions to the directory tree and the files. That should be sufficient.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...