Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk UF after 9.1 - Access issues with IIS logs

gazoscreek
Path Finder
‎12-12-2024 01:03 PM

Ever since upgrading Windows clients above to 9.0 we've had access issues. We've resolved some of that by adding the "SplunkForwarder" user (which gets provisioned at the time of the install) to the Event Log Readers group.

Unfortunately, that hasn't resolved all access issues. IIS logs for instance ..

When I deploy a scripted input to a test client to provide a directory listing of C:\Windows\System32\Logfiles\HTTPERR ... the internal index gets a variety of errors, one of which is included below. (yes, the directory exists)

Get-ChildItem : Access to the path 'C:\Windows\System32\Logfiles\HTTPERR' is denied 

So, other than having our IT staff reinstall the UF everywhere to run as a System privileged user as it has run in every version I've ever worked with ... How are we to know what Group the SplunkForwarder user needs to be added to read data that is not under the purview of "Event Log Readers"


Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-12-2024 02:08 PM

This is a common problem with any tool. Just because for a long time UF on Windows was made to be run as Local System, doesn't mean that it's the proper approach.

It's up to you and your windows admins to know what permissions are needed to access various parts of your environment. In order to access eventlogs you have to either edit the acls for eventlogs (which is a really ugly thing to do) or add the UF user to a group (I don't remember the exact name of the group - Logreaders?). But if you want to access some random files on your system it depends on the ownership and ACLs on those files/directories. There is no single good answer. This particular directory is most probab;y connected to IIS but others will correspond to other services.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-12-2024 02:08 PM

This is a common problem with any tool. Just because for a long time UF on Windows was made to be run as Local System, doesn't mean that it's the proper approach.

It's up to you and your windows admins to know what permissions are needed to access various parts of your environment. In order to access eventlogs you have to either edit the acls for eventlogs (which is a really ugly thing to do) or add the UF user to a group (I don't remember the exact name of the group - Logreaders?). But if you want to access some random files on your system it depends on the ownership and ACLs on those files/directories. There is no single good answer. This particular directory is most probab;y connected to IIS but others will correspond to other services.

Reply
Solved! Jump to solution

gazoscreek
Path Finder
‎12-12-2024 02:36 PM

Thank you. IMHO, it's a change that probably should have been more widely announced and probably involved a touchpoint from account teams. This was a deviation from the way the UF's have operated since Day 1. (Yes, it's mentioned in the release notes ... but with no specific solutions to commonly ingested logs ... ) Like the release notes could have at least mentioned that in order to read Sysmon logs, you need to add "SplunkForwarder" to the Event Log Readers group. That took a while to figure out ... and yeah, it does appear that Event Log Readers doesn't imply all logs. 

So, yes. Application logs are going to be tricky to remediate. But at least we're not in danger of exceeding our license threshold. (¬_¬)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...