Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk on a Domain Controller

simuvid
Splunk Employee
Splunk Employee
‎06-30-2010 12:56 PM

Is there any possibility to run an Splunk Forwarder on a Windows 2008 Domain Controller so that the Forwarder is running within the System Context and Events from the DC get forwarded?

Or in other words: What are the minimum rights that need to be assigned to a Forwarder to read and forward Security Logs?

Reply
2 Solutions
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-30-2010 02:38 PM

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎07-01-2010 12:34 AM

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎07-01-2010 12:34 AM

I run light forwarders on my DCs. Easiest way is to simply install Splunk under the Local System context (basically just leave all defaults in the installer). This way Splunk can access and forward all the Event logs and you don't have to run anything under the context of a Domain Admin account.

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-30-2010 02:38 PM

The simple answer is that you must be running Splunk as an Administrator on the machine to be able to read the Security Logs. On a DC, this also implies that it will run as a Domain Admin.

The complex answer is that you don't absolutely have to run as an Administrator, but that the way to grant rights to the Security Event Log looks very sketchy. I personally would recommend very strongly against this as it looks very fragile and hard to administer. However, here is information about how to do it:

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

These apply to Windows 2003, but I do not think there are any changes or new UI for this in Windows 2008.

You might be able to take the approach in W2k8 of using Windows own event log forwarding to send the logs to a non-domain controller, though I'm not sure if that avoids the security problem.

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎06-30-2010 02:27 PM

There is no minimum rights, other than the right to install the forwarder. Make sure that you configure the splunk install as a forwarder so as to have the least footprint possible.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...