Solved: Splunk UF after 9.1 - Access issues with IIS logs

gazoscreek · ‎12-12-2024

Ever since upgrading Windows clients above to 9.0 we've had access issues. We've resolved some of that by adding the "SplunkForwarder" user (which gets provisioned at the time of the install) to the Event Log Readers group.

Unfortunately, that hasn't resolved all access issues. IIS logs for instance ..

When I deploy a scripted input to a test client to provide a directory listing of C:\Windows\System32\Logfiles\HTTPERR ... the internal index gets a variety of errors, one of which is included below. (yes, the directory exists)

Get-ChildItem : Access to the path 'C:\Windows\System32\Logfiles\HTTPERR' is denied

So, other than having our IT staff reinstall the UF everywhere to run as a System privileged user as it has run in every version I've ever worked with ... How are we to know what Group the SplunkForwarder user needs to be added to read data that is not under the purview of "Event Log Readers"

PickleRick · ‎12-12-2024

This is a common problem with any tool. Just because for a long time UF on Windows was made to be run as Local System, doesn't mean that it's the proper approach.

It's up to you and your windows admins to know what permissions are needed to access various parts of your environment. In order to access eventlogs you have to either edit the acls for eventlogs (which is a really ugly thing to do) or add the UF user to a group (I don't remember the exact name of the group - Logreaders?). But if you want to access some random files on your system it depends on the ownership and ACLs on those files/directories. There is no single good answer. This particular directory is most probab;y connected to IIS but others will correspond to other services.

View solution in original post

PickleRick · ‎12-12-2024

This is a common problem with any tool. Just because for a long time UF on Windows was made to be run as Local System, doesn't mean that it's the proper approach.

It's up to you and your windows admins to know what permissions are needed to access various parts of your environment. In order to access eventlogs you have to either edit the acls for eventlogs (which is a really ugly thing to do) or add the UF user to a group (I don't remember the exact name of the group - Logreaders?). But if you want to access some random files on your system it depends on the ownership and ACLs on those files/directories. There is no single good answer. This particular directory is most probab;y connected to IIS but others will correspond to other services.

gazoscreek · ‎12-12-2024

Thank you. IMHO, it's a change that probably should have been more widely announced and probably involved a touchpoint from account teams. This was a deviation from the way the UF's have operated since Day 1. (Yes, it's mentioned in the release notes ... but with no specific solutions to commonly ingested logs ... ) Like the release notes could have at least mentioned that in order to read Sysmon logs, you need to add "SplunkForwarder" to the Event Log Readers group. That took a while to figure out ... and yeah, it does appear that Event Log Readers doesn't imply all logs.

So, yes. Application logs are going to be tricky to remediate. But at least we're not in danger of exceeding our license threshold. (¬_¬)

Splunk UF after 9.1 - Access issues with IIS logs

universal forwarder

Windows

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience