This question deals with making a locally installed instance of Splunk available to end users who do not have admin privileges on their win7 PC.
I log onto to an end user’s PC as admin and install Splunk. When I log off and ask the user to try to access Splunk via the shortcut at Start > All Programs > Splunk, they are challenged with the UAC (user Access Control) pop up box.
Must users of Splunk have admin privileges on their own PC?
Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?
Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.
So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.
Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?
Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?
Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.
So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.
Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?
Good info.. thanks!
I do realize/intend to switch to the free license. Not too concerned about accidentally providing non-admin access to sesitive logs becuase it is quite simple to wipe the index periodcally (or even after each use).
Well, what it actually does is gets the configured address of the Splunk server and launches the browser but it doesn't start Splunk if its not running. Admin user or not, the only way would be to run splunk start or via the services menu. Is it just to read Windows event logs? Running on a non admin machine it will eventually need to be switched to a free licence, at this point it will provide unsecured access to the logs it has consumed. Also each time you start it there is likely to be a drain on system resource as it indexes all new events
I do want it running on a non admin machin becuase the users will only use it for ocassional troubleshooting... and I also intended to not have it auto-start. I thought the shortcut first calls Splunk.exe and then calls the browser. I assummed "Spunk.exe" checks to see if the 2 services are started, and if not, starts them. So I will run some tests to determine if this is so.
In the mean time, I welcome more feedback.