Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My splunk agent service runs as NT SERVICE/SplunkForwarder user and I want to move it to a local account.

giulianisanches
Engager
‎10-06-2023 11:46 AM

I'm installing Splunk Universal Frowarder using the following command:

choco install splunk-universalforwarder --version=9.0.5 --install-arguments='DEPLOYMENT_SERVER=<server_address>:<server_port>'

This install a SplunkForwarder service that runs with the user NT SERVICES/SplunkForwarder.

Reading the documentation, this account is a virtual account which are managed local accounts. 

Despite being described as managed local accounts, the documentation also states that "Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$." 

Currently, my windows machines are joined to the AD Domain but I'm working to change it and to not join them to the AD in the future.

I have a couple questions here:

  1. Can I use this default user (NT SERVICES/SplunkForwarder) even without joining the VM to the AD domain ?
  2. What are the limitations that I will face changing from this NT SERVICES account to a local account ?

Thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_JP
Contributor
‎10-06-2023 12:39 PM

1. Yes, you can setup Splunk to run as a local user in Windows.  But, per the docs it has to be setup during install, or before you have started Splunk for the first time.  Keep in mind that Splunk is very file-configuration driven, so even if you have to delete and re-install, I'm assuming your Forwarder is getting hooked up to a Deployment Server to get its configurations after your base install.

2. The main thing is the user needs to be an Administrator.  From there, your limitations are going to be what that user has access to - e.g. can the user you're running Splunk as have permissions to view the files you want to ingest.  More info here in docs on choosing your user.

View solution in original post

Reply
Solved! Jump to solution
Solution

_JP
Contributor
‎10-06-2023 12:39 PM

1. Yes, you can setup Splunk to run as a local user in Windows.  But, per the docs it has to be setup during install, or before you have started Splunk for the first time.  Keep in mind that Splunk is very file-configuration driven, so even if you have to delete and re-install, I'm assuming your Forwarder is getting hooked up to a Deployment Server to get its configurations after your base install.

2. The main thing is the user needs to be an Administrator.  From there, your limitations are going to be what that user has access to - e.g. can the user you're running Splunk as have permissions to view the files you want to ingest.  More info here in docs on choosing your user.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2023 02:02 PM

1. Actually you can change the user Splunk runs with. It boils down to changing ownership of the installation directory and everything inside and changing configuration of the splunkforwarder service so that it logs on as another user. It's not an officially endorsed way, it's not supported but should work.

2. With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions. Of course the necessary permissions are due to what UF does, which means reading the event logs, or calling perfmon. There are also additional permissions needed to - as @_JP pointed out - to read specific files you want to ingest. Those you'll have to grant yourself.

About the difference between using AD-based account and a local one - with local account you won't be able to collect data remotely over WMI (there is no way to make splunk authenticate such connection) and might have problems with ingesting files from network shares - everything that involves authenticating over the network which is normally done behind the scenes by domain mechanisms.

Reply
Solved! Jump to solution

chadmedeiros
Path Finder
‎11-02-2023 02:59 PM

Do you have any docs/references for point 2?

>> With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-03-2023 03:16 AM

https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfro...

The section "about the least-privileged user"

0 Karma
Reply
Solved! Jump to solution

_JP
Contributor
‎10-06-2023 02:17 PM

Thank you for all the clarifications 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...