Getting Data In

Is windows admin access required to run locally installed instance of splunk

mikefoti
Communicator

This question deals with making a locally installed instance of Splunk available to end users who do not have admin privileges on their win7 PC.

I log onto to an end user’s PC as admin and install Splunk. When I log off and ask the user to try to access Splunk via the shortcut at Start > All Programs > Splunk, they are challenged with the UAC (user Access Control) pop up box.

Must users of Splunk have admin privileges on their own PC?

Tags (2)
0 Karma
1 Solution

Drainy
Champion

Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?

Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.

So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.

Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?

View solution in original post

0 Karma

Drainy
Champion

Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?

Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.

So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.

Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?

0 Karma

mikefoti
Communicator

Good info.. thanks!
I do realize/intend to switch to the free license. Not too concerned about accidentally providing non-admin access to sesitive logs becuase it is quite simple to wipe the index periodcally (or even after each use).

0 Karma

Drainy
Champion

Well, what it actually does is gets the configured address of the Splunk server and launches the browser but it doesn't start Splunk if its not running. Admin user or not, the only way would be to run splunk start or via the services menu. Is it just to read Windows event logs? Running on a non admin machine it will eventually need to be switched to a free licence, at this point it will provide unsecured access to the logs it has consumed. Also each time you start it there is likely to be a drain on system resource as it indexes all new events

mikefoti
Communicator

I do want it running on a non admin machin becuase the users will only use it for ocassional troubleshooting... and I also intended to not have it auto-start. I thought the shortcut first calls Splunk.exe and then calls the browser. I assummed "Spunk.exe" checks to see if the 2 services are started, and if not, starts them. So I will run some tests to determine if this is so.

In the mean time, I welcome more feedback.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...