I've installed Splunk 4.1.5 on a Windows 2008 server. I installed Splunk with a user account that was a member of the domain admins and has the appropriate permissions to access event logs. I configured Splunk to run as the local service account.
I'm finding that if I try and create/edit files underneath the apps or system directories, I can't modify them after creating them. It looks like the Creater Owner account has no privileges to anything in the Splunk directory tree.
I'm also finding that if I make a change to the config, such as configuring the server to forward events, I can see the changes in the GUI, but the outputs.conf file never gets created.
Is there a "best practices" guide or anything like that for getting Splunk to run well on 2008?
I installed Splunk on Server 2008 with a Domain Admin account, I am also running it under an account that has the same rights to our other servers.
As far as creating/editing, what level of account are you using when you create the files? I would imagine that you would have to be a member of the Local Administrators group since the location you are editing the files in the "Program Files" directory.
Hopefully this helps.
I installed Splunk as the domain admin account that the central Splunk server runs as and uses to pull WMI data off remote Windows servers. I've tried installing Splunk as both a Local System account and the same domain admin account I was installing Splunk as.
Even though the local administrators group has full control and domain admins are members of the local admins group, I still have problems editing files within Splunk. The problem may be that the CREATOR OWNER account does not have modify rights to anything in the Splunk tree. I have to add permissions from the root of Splunk.
The CREATOR OWNER does not have any affect on whether or not you can can modify files within Splunk, it has to do with the user that you are logged in as. Are you trying to edit files within the Splunk UI, or from Windows Explorer?
I have seen various problems like this when performing installations of Splunk as anything other than Local System.
When performing such installations, it is essential to do so as at least a local administrator. If I install Splunk as a user other than Local System, I do it by running "msiexec /i <splunk-installer.msi> LAUNCHSPLUNK=0". After the installation completes, I then go into the file security properties for C:\Program Files\Splunk, break any inheritance from upstream directories, and make sure that Administrators, CREATOR OWNER and the user I installed Splunk as have full control to Splunk and all directories below.
Regarding missing outputs.conf files, are you sure you're looking in the right place for it? I just did this on a Win2K8 system and the file got created in %SPLUNK_HOME%\etc\apps\search\local.
I too have seen problems related to created file permissions on Windows 2008.I believe these permissions problems are related to User Account Control (UAC).
By deafult, when you are browsing around the file system using explorer, you are doing so without the "Local Administrators" group token. You may see an example of this when trying to open a folder and encountering a UAC yes/no pop-up--answering yes will add your specific userid to the permissions for that folder.
When you create a file in a folder you created from scratch, say an app or sometimes a new configuration file, it might only give your specific userid permissions on the file and forget to also allow other local admins or system accounts (which splunk may be running as).
My practice has been right-clicking on a cmd.exe shortcut and choosing run as administrator. I then navigate to directories using this prompt and manually typing "notepad filename.conf" to create or edit files. This starts notepad with permissions needed to save the file appropriately.