Getting Data In

Trouble setting up forwarders on Windows 2008 using Service Account

Engager

I'm in a Windows environment, trying to set up forwarding to my indexer, all on Windows 2008 servers.

So, I made sure that my service account has FC on the entire Splunk installation directory, and R&Execute on the windows logs directory.

The Windows App was useless to me; I checked to make sure it was enabled in the app’s conf file, and it was, and then I would try to configure it in the GUI, and none of my configurations would be saved when I went back in; no inputs ever showed up.
SO I instead went directly to the inputs.conf file and added windows stanzas for each log I wanted. That seemed to work – briefly. Then I immediately started getting TCP resets from the forwarders in the Splunkd logs. I think this may be because I used the Local System vs Svc Acct for the Splunk services. AM I right? I managed to get the services to work with the service account on the indexer, so I am going to work with my admins to see if the group policy settings aren’t somehow overriding the local user rights assignments on the forwarders, and make sure that I have the correct domain groups in place in their local admin groups.
I found out I have to do WMI anyways, so now I have to use the svc acct, but this has really been a pain so far….any advice? AM I proceeding correctly? Why am I getting all of these TCP resets on the forwarders when they make the connection to the indexer? There are no Windows Firewall on any of the servers, neither in Local or Group Policy, so I know that’s not it….

0 Karma

Motivator

TCP Resets usually indicate that a port is closed, or possibly that a 3rd-party security device such as an IPS or NAC device is interfering.

How do you know that there are TCP Resets -- are you looking at a sniffer or seeing an error message somewhere?

Have you tried connecting to the indexer using telnet or similar to see if you can get a connection to that port at all? Somebody with more experience on distributed deployment chime in -- is it port 8089 that he needs to verify connectivity to?

LocalSystem has restrictions on making network connections, but IIRC they only apply to NetBIOS and SMB networking and user permissions, not straightforward TCP. Splunk uses SSL and its own security mechanisms, so it should not be an issue.

0 Karma

Engager

The TCP Resets are showing up in the Splunkd.log file on the indexer, for each connection made to it by a forwarder. Also showing up on the splunkd.log file on the forwarder. A connection is opened to the indexer, and then immediately reset by the forwarder.

0 Karma

Splunk Employee
Splunk Employee

Read and execute permissions on the Windows Log directories are not relevant for Splunk forwarders to collect the Windows Event Logs, as it does this via API, not by looking at the files:

http://answers.splunk.com/questions/4226/splunk-on-a-domain-controller/4235#4235 http://www.splunk.com/support/forum:SplunkAdministration/4128

0 Karma

Splunk Employee
Splunk Employee

Can you please clarify what exactly is not working, or what you're getting permissions denied on at the end of this?

0 Karma

Communicator

I'm not sure about accounts, but for any errors I suggest that you check the _internal log:

index=_internal host=forwarder

Try adding error as well to see what your forwarder is complaining about.

0 Karma