Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to hide Splunk forwarder from add/remove programs list?

adam_jones
Engager
‎01-07-2016 08:24 AM

I am pushing the Splunk forwarder out to a bunch of workstations. I don't want users to be able to remove the forwarder once it's installed. I've noticed that on my workstation I can go into the Add/Remove programs list in Windows and uninstall it. Also, I can stop the service from running. Is there any way to hide the forwarder from these places so that users don't remove it? Some of the users will have local admin rights so I don't think I can take away their ability to uninstall, but if it's hidden it's more likely to stay around.

0 Karma
Reply

javiergn
Super Champion
‎01-07-2016 09:27 AM

Hi,

Take a look at this: http://www.winhelponline.com/articles/15/1/How-to-hide-an-entry-in-the-AddRemove-Programs-applet.htm...

With regards to the service start/stop, while you can't easily stop your local admins from starting/stopping the Splunk service on Windows, you can monitor what's going on periodically:

  • Monitor your System Event Logs and look for "Event Source: Service Control Manager" where description contains the name of the Splunk service. This will tell you when the service was stopped / started
  • Use Splunk On Splunk or the Distributed Management Console to monitor the status of your Universal Forwarders. There are built-in searches to list UFs not reporting after certain amount of time that you can tweak to customise your needs
  • If the number of Windows hosts you want to watch is not extremely huge you can always monitor the Splunk services remotely every minute or so by writing some basic PowerShell that either via WMI or built-in cmdlets keeps an eye on those services. A multithreaded approach is recommended here

But most importantly, there's something that really helped me in the past: get support from senior management on this. If someone senior enough informs your employees that stopping certain security/logging tools is not permitted unless there's a valid reason for it, people would think twice before doing so. It won't stop them but if they do, and you manage to find out, there will be consequences.

Hope that helps.

Thanks,
J

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...