Getting Data In
Highlighted

Windows Server 2012 - Splunkd Service Access Denied

Engager

We're having a bit of an issue with our new Splunk install on Windows Server 2012. The Splunkd and Splunkweb services will not start when using a domain service account. They fail with a "Access Denied" message.

We're using a Domain Admin account and have verified that the following Local Policies were set for it:

Permission to log on as a service

Permission to log on as a batch job

Permission to replace a process-level token

Permission to act as part of the operating system

Permission to bypass traverse checking

I also verified that we do not have "Permission to log on as a service" set as a GPO - so that shouldn't be overiding the local policy.

Has anyone else had any experience with this? I've been racking my brain for 2 days trying to figure this one out and would greatly appreciate any direction in the matter. Thanks!

0 Karma
Highlighted

Re: Windows Server 2012 - Splunkd Service Access Denied

Engager

In case anyone else is encountering this issue:

We fixed this in a kind of roundabout way. The Splunk server was a Server 2012 on a VMware VM. I had to go in and disable the hotplug ability on the guest. This allowed the services to run under a domain service account but for some reason it cut off all network access to the server.

I then added a second NIC, booted up the VM and network connectivity was restored but the services failed again. After that I shutdown the machine, removed the new NIC and powered back on. For some reason network connectivity is restored and the splunk services are running under the domain account. I will update this entry as I find more information.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.