Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are the limitations of installing/running the UF in low privilege mode?

bo055677
New Member
‎12-05-2017 08:15 AM

I'm getting push back on installing UFs on domain controllers and I believe installing in low privilege mode is the solution which will meet windows administrators concerns. My only issue is that I haven't been able to find a document that states the exact limitations of running the UF in low privilege mode, other than this article.

https://answers.splunk.com/answers/93998/running-universal-forwarder-with-non-administrator-service-...

Does anyone know if there is a document on what a low privilege UF can't do?

Will this let me run Powershell commands?

0 Karma
Reply

nickhills
Ultra Champion
‎12-05-2017 08:51 AM

A low privileged user on windows will not be able to access the windows event logs without some additional configuration in your AD audit settings (and potentially a significant amount of pain)

An alternative to this is to run a collector to perform remote log collection, however this is only marginally better, because you have now given a remote system a privileged logon to the domain controllers.

Its only right to point out that this is a limitation of windows, rather than splunk, but my advice is to keep up the fight.
The value (and speed/volume advantage over remote wmi) of a local installed forwarder with sufficient rights is worth it over the headaches in the future.

If remote deployment is a concern (or the ability to do so) I would suggest locally deployed apps (ie no deployment server) over the alternatives - or even better a separate DS just to manage your sensitive deployment clients.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...