Getting Data In

Local Users on Universal Forwarder and Remote CLI?

stevepraz
Path Finder

We are looking to lock down our universal forwarders on Windows servers. Our plan is for all the necessary configs to be pulled down from a deployment server.

In light of that, is there any reason why we would need the local user (admin) created when the forwarder is installed? What functions would that be used for? Could we rename it or disable it to prevent it from being used? Also, is there a way to prevent remote CLI functions from being able to be run? What is the 8089 port used for on a forwarder?

0 Karma
1 Solution

ekost
Splunk Employee
Splunk Employee
  1. Credentials are required to access and read files. A Windows forwarder uses the Windows owned LocalSystem account by default, and does not create a new account in Windows. If you know what data you want to collect from Windows, review the credential and collection options and consider the creation of a custom system account to run the forwarder. Test vigorously.
  2. CLI functions require authentication. Change the forwarder's own internal credentials after the installation completes. Use scripts for post installation tasks when deploying forwarders at scale.
  3. Answers has a good post on the uses for the management port here. The port can be disabled.

View solution in original post

ekost
Splunk Employee
Splunk Employee
  1. Credentials are required to access and read files. A Windows forwarder uses the Windows owned LocalSystem account by default, and does not create a new account in Windows. If you know what data you want to collect from Windows, review the credential and collection options and consider the creation of a custom system account to run the forwarder. Test vigorously.
  2. CLI functions require authentication. Change the forwarder's own internal credentials after the installation completes. Use scripts for post installation tasks when deploying forwarders at scale.
  3. Answers has a good post on the uses for the management port here. The port can be disabled.

stevepraz
Path Finder

Thanks for the response. Point 2 is what my question was mainly around, the forwarder's internal credentials. From initial testing it looks like the forwarder starts up just fine with no users in the SPLUNK_HOME/etc/passwd file. If I'm handling my initial installs and mass upgrades with a deployment tool like SCCM and I am managing my forwarder configurations via deployment server, are there any critical CLI functions I would be losing out on by not having any users internal to the forwarder?

Even if we changed the user name from admin and the password, we'd have to rotate the password (to meet internal standards). If there isn't any functionality we are missing out on, it seems easier to just disable it entirely.

0 Karma

ekost
Splunk Employee
Splunk Employee

The only time I leverage CLI on a forwarder is troubleshooting. I agree that if you've become very comfortable with deployment server and have a method in mind to manage potential changes to the deploymentclient.conf file, there's very little need for CLI or the management port. All that said, I do not know of a way to completely disable the CLI functions. You can check with support for confirmation. Restricting access to the forwarder installation from non-admin's with login capabilities is an option.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...