Getting Data In

How to create a Non Administrative User Account to run universal forwarders to forward Windows security logs?

akshatj2
Path Finder

Hi All,

I need to install a Universal forwarder in our environment, but due to strict policies, we cannot give the user it runs with administrative rights.

Could you please give me a list of minimum access that can be granted to the user to run Universal Forwarders? We only need to forward security logs from the devices. Also, what are the features that will be disabled in Low Privileged mode?

I have installed 6.3.2.

Regards,
Akshat

0 Karma

akshatj2
Path Finder

Installation is on windows devices

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

In addition to that, we see it quite frequently the the UF cannot run as a system or priv account (especially *Nix worlds..) So Ill focus on the Linux side

Typically those security logs you are talking about live in /var/log/* and permissions on this directory tree are restricted usually to root / wheel and priv account. This means if you install the UF and run as a non-root user, you wont be able to read these files for ingest.

There are a few options, most commonly the Splunk user will be added into a group that is granted permissions to read those log files. This takes a bit more on time on the sys admin side, but usually conforms to most security policies.

Outside of that, you would nee to go through the modular inputs in the NIX TA. A few of these require super user / root priv to run. So if you enable them without running as root, or again modifying the Splunk user to be able to execute these, then you wont get any results.

0 Karma

akshatj2
Path Finder

Installation is on windows servers not linux.

Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?

pgreer_splunk
Splunk Employee
Splunk Employee

*nix or Microsoft?

The user you install it as would need (read) access to logs that you wish to collect and forward to your indexer(s). Providing that user access depends on the files you wish to forward the content from and the OS you're running the forwarder upon.

The docs page below is for running Splunk (universal forwarder and heavy forwarder included) as a non-root user on *nix.

http://docs.splunk.com/Documentation/Splunk/6.0.2/installation/RunSplunkasadifferentornon-rootuser

Info on user selection in a Windows environment (local or domain) is located in the docs at:

http://docs.splunk.com/Documentation/Splunk/6.0.2/Installation/ChoosetheuserSplunkshouldrunas

akshatj2
Path Finder

Installation is on windows servers not linux.

Also, I have already installed it using the admin account now if I decrease the privilages and give access for reading logs and full access on folder where it is installed, for that user will that do the job for me or does it have any special requirements. And will it require splunk services to be restarted?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If you are not collecting WMI or Eventlogs off the Windows box, only reading log files off disk, then make sure that the user has read permissions to the directory tree and the files. That should be sufficient.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...