Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk on a Domain Controller

simuvid
Splunk Employee
Splunk Employee
‎06-30-2010 12:56 PM

Is there any possibility to run an Splunk Forwarder on a Windows 2008 Domain Controller so that the Forwarder is running within the System Context and Events from the DC get forwarded?

Or in other words: What are the minimum rights that need to be assigned to a Forwarder to read and forward Security Logs?

Reply
2 Solutions
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-30-2010 02:38 PM

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎07-01-2010 12:34 AM

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎07-01-2010 12:34 AM

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-30-2010 02:38 PM

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎06-30-2010 02:27 PM

There is no minimum rights, other than the right to install the forwarder. Make sure that you configure the splunk install as a forwarder so as to have the least footprint possible.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...