Getting Data In

Splunk Web on Windows won't listen on port 8000

hughkelley
Path Finder

I have a UAC-enabled Server 2008 R2 machine with Splunk splunk-4.1.7-95063-x64-release installed.

I am using a low-privilege (just the minimum listed in the docs, http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splu...).

This seems fine for splunkd, it can run, open port 8089, and appears to be indexing.

The splunkweb service never opens a port and seems to generate these errors every time it starts. Apparently it wants to query the Service Control Manager.

When I run the service interactively I get a UAC prompt.

Log Name: Security Source:
Microsoft-Windows-Security-Auditing Event ID: 4656 Task Category: Other Object Access Events Level:
Information Keywords: Audit Failure Description: A handle to an object was requested.

Subject: Security ID: xxx\service-splunk Account Name: service-splunk Account Domain: xxx Logon ID: 0x15cb85

Object: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: 0x0

Process Information: Process ID: 0x204 Process Name: C:\Windows\System32\services.exe

Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Connect to service controller Create a new service Enumerate services Lock service database for exclusive access Query service database lock state Set last-known-good state of service database Access Reasons: - Access Mask: 0xf003f Privileges Used for Access Check: - Restricted SID Count: 0

Tags (2)
0 Karma

hughkelley
Path Finder

Port 8000 isn't in use by anybody else.

I haven't tried disabling UAC since that's a no-go configuration in our environment. I did try running the Python exe interactively (-debug) as the service account. That's when I saw the UAC prompt.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Have you tried re-entering the password for the service account in the Services Control panel?

0 Karma

hughkelley
Path Finder

Yes, the service runs fine when I make the account a local administrator, so the username and password are fine.

I feel pretty confident this is a Windows UAC issue. The documentation seems to indicate that this (non-admin) configuration can be made to work.

Has anybody else gotten it going?

0 Karma

southeringtonp
Motivator

What user is SplunkWeb running as? LocalSystem? If you (temporarily) disable UAC, does it make any difference? If you run netstatn -an -p tcp, is port 8000 used for anything else?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...