Getting Data In

Splunk on a Domain Controller

simuvid
Splunk Employee
Splunk Employee

Is there any possibility to run an Splunk Forwarder on a Windows 2008 Domain Controller so that the Forwarder is running within the System Context and Events from the DC get forwarded?

Or in other words: What are the minimum rights that need to be assigned to a Forwarder to read and forward Security Logs?

2 Solutions

gkanapathy
Splunk Employee
Splunk Employee

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

View solution in original post

ftk
Motivator

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

View solution in original post

ftk
Motivator

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

gkanapathy
Splunk Employee
Splunk Employee

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

BunnyHop
Contributor

There is no minimum rights, other than the right to install the forwarder. Make sure that you configure the splunk install as a forwarder so as to have the least footprint possible.