Getting Data In

Is windows admin access required to run locally installed instance of splunk

mikefoti
Communicator

This question deals with making a locally installed instance of Splunk available to end users who do not have admin privileges on their win7 PC.

I log onto to an end user’s PC as admin and install Splunk. When I log off and ask the user to try to access Splunk via the shortcut at Start > All Programs > Splunk, they are challenged with the UAC (user Access Control) pop up box.

Must users of Splunk have admin privileges on their own PC?

Tags (2)
0 Karma
1 Solution

Drainy
Champion

Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?

Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.

So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.

Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?

View solution in original post

0 Karma

Drainy
Champion

Firstly Splunk is web based, the link is just a bookmark to a webpage so the UAC pop up is related to opening a URL or their browser?

Secondly, when installing Splunk should really be installed as a local service as per the install instructions, unless you want to do remote WMI polling.

So after all is said, Splunk should actually be running in the background at start up anyway and so admin access will not be required to access it, I feel this is UAC blocking your browser opening a URL or something like that. They should be able to access it via http://127.0.0.1:8000 in their browser of choice.

Finally, do you really want to install a server program like Splunk on a non admin machine? Would it not be better to install a forwarder and have a central indexer where people could access or search for details?

0 Karma

mikefoti
Communicator

Good info.. thanks!
I do realize/intend to switch to the free license. Not too concerned about accidentally providing non-admin access to sesitive logs becuase it is quite simple to wipe the index periodcally (or even after each use).

0 Karma

Drainy
Champion

Well, what it actually does is gets the configured address of the Splunk server and launches the browser but it doesn't start Splunk if its not running. Admin user or not, the only way would be to run splunk start or via the services menu. Is it just to read Windows event logs? Running on a non admin machine it will eventually need to be switched to a free licence, at this point it will provide unsecured access to the logs it has consumed. Also each time you start it there is likely to be a drain on system resource as it indexes all new events

mikefoti
Communicator

I do want it running on a non admin machin becuase the users will only use it for ocassional troubleshooting... and I also intended to not have it auto-start. I thought the shortcut first calls Splunk.exe and then calls the browser. I assummed "Spunk.exe" checks to see if the 2 services are started, and if not, starts them. So I will run some tests to determine if this is so.

In the mean time, I welcome more feedback.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...