I have a UAC-enabled Server 2008 R2 machine with Splunk splunk-4.1.7-95063-x64-release installed.
I am using a low-privilege (just the minimum listed in the docs, http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splu...).
This seems fine for splunkd, it can run, open port 8089, and appears to be indexing.
The splunkweb service never opens a port and seems to generate these errors every time it starts. Apparently it wants to query the Service Control Manager.
When I run the service interactively I get a UAC prompt.
Log Name: Security Source:
Microsoft-Windows-Security-Auditing Event ID: 4656 Task Category: Other Object Access Events Level:
Information Keywords: Audit Failure Description: A handle to an object was requested.Subject: Security ID: xxx\service-splunk Account Name: service-splunk Account Domain: xxx Logon ID: 0x15cb85
Object: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: 0x0
Process Information: Process ID: 0x204 Process Name: C:\Windows\System32\services.exe
Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Connect to service controller Create a new service Enumerate services Lock service database for exclusive access Query service database lock state Set last-known-good state of service database Access Reasons: - Access Mask: 0xf003f Privileges Used for Access Check: - Restricted SID Count: 0
Port 8000 isn't in use by anybody else.
I haven't tried disabling UAC since that's a no-go configuration in our environment. I did try running the Python exe interactively (-debug) as the service account. That's when I saw the UAC prompt.
Have you tried re-entering the password for the service account in the Services Control panel?
Yes, the service runs fine when I make the account a local administrator, so the username and password are fine.
I feel pretty confident this is a Windows UAC issue. The documentation seems to indicate that this (non-admin) configuration can be made to work.
Has anybody else gotten it going?
What user is SplunkWeb running as? LocalSystem? If you (temporarily) disable UAC, does it make any difference? If you run netstatn -an -p tcp, is port 8000 used for anything else?