We have installed Splunk under an eval using just a local username. We'd like to monitor AD, but can't work out how to make Splunk use a different username. I have had a look through the documenation, but may have missed how to do this.
Could someone point me in the right direction please.
We're created a service account in the AD with limited rights, to get WMI and access log files, are there any specific rights the account needs? The documentation shoes that it needs some rights to the DC's but we don't want to create an account that can log into DC's GUI, but can pull data from them.
You have to change the service account in the Services Control panel, and change the ownership/permissions of all Splunk files. You'll find that the permissions of some files (e.g. Splunk indexes, Splunk internal logs file directory) are set by default to only be accessible by the initial installed Splunk user account. Easiest thing to do it to go to the installation directory and cascade your ownership changes down.
Alternatively, you can uninstall and reinstall providing the new user name, though this will delete everything in your install (including any indexed data, unless you moved it to a new location).
Note BTW that if you want to collect Windows Security Event Logs, basically you need to be an admin on the DC (and hence the domain). There is a way around it if you have to do it, but I would recommend against it.