Getting Data In

My splunk agent service runs as NT SERVICE/SplunkForwarder user and I want to move it to a local account.

giulianisanches
Engager

I'm installing Splunk Universal Frowarder using the following command:

choco install splunk-universalforwarder --version=9.0.5 --install-arguments='DEPLOYMENT_SERVER=<server_address>:<server_port>'

This install a SplunkForwarder service that runs with the user NT SERVICES/SplunkForwarder.

Reading the documentation, this account is a virtual account which are managed local accounts. 

Despite being described as managed local accounts, the documentation also states that "Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$." 

Currently, my windows machines are joined to the AD Domain but I'm working to change it and to not join them to the AD in the future.

I have a couple questions here:

  1. Can I use this default user (NT SERVICES/SplunkForwarder) even without joining the VM to the AD domain ?
  2. What are the limitations that I will face changing from this NT SERVICES account to a local account ?

Thanks.

Labels (2)
0 Karma
1 Solution

_JP
Contributor

1. Yes, you can setup Splunk to run as a local user in Windows.  But, per the docs it has to be setup during install, or before you have started Splunk for the first time.  Keep in mind that Splunk is very file-configuration driven, so even if you have to delete and re-install, I'm assuming your Forwarder is getting hooked up to a Deployment Server to get its configurations after your base install.

2. The main thing is the user needs to be an Administrator.  From there, your limitations are going to be what that user has access to - e.g. can the user you're running Splunk as have permissions to view the files you want to ingest.  More info here in docs on choosing your user.

View solution in original post

_JP
Contributor

1. Yes, you can setup Splunk to run as a local user in Windows.  But, per the docs it has to be setup during install, or before you have started Splunk for the first time.  Keep in mind that Splunk is very file-configuration driven, so even if you have to delete and re-install, I'm assuming your Forwarder is getting hooked up to a Deployment Server to get its configurations after your base install.

2. The main thing is the user needs to be an Administrator.  From there, your limitations are going to be what that user has access to - e.g. can the user you're running Splunk as have permissions to view the files you want to ingest.  More info here in docs on choosing your user.

PickleRick
SplunkTrust
SplunkTrust

1. Actually you can change the user Splunk runs with. It boils down to changing ownership of the installation directory and everything inside and changing configuration of the splunkforwarder service so that it logs on as another user. It's not an officially endorsed way, it's not supported but should work.

2. With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions. Of course the necessary permissions are due to what UF does, which means reading the event logs, or calling perfmon. There are also additional permissions needed to - as @_JP pointed out - to read specific files you want to ingest. Those you'll have to grant yourself.

About the difference between using AD-based account and a local one - with local account you won't be able to collect data remotely over WMI (there is no way to make splunk authenticate such connection) and might have problems with ingesting files from network shares - everything that involves authenticating over the network which is normally done behind the scenes by domain mechanisms.

chadmedeiros
Path Finder

Do you have any docs/references for point 2?

>> With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust
0 Karma

_JP
Contributor

Thank you for all the clarifications 😀

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...