Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

running splunkd on a search head with a Windows domain account

cphair
Builder
‎03-08-2013 12:21 PM

What permissions are required to run Splunk services on a Windows 2008 R2 search head with a domain account? The service was originally installed as local system, and it still runs if I change it to an admin account, but a non-admin account does not work, even with full control on the Splunk installation directory and rights to log on as a service. In a non-working (non-admin) config, the splunkd log ends just before the entry "03-08-2013 14:59:15.012 -0500 INFO loader - win-service: Starting as a Windows service: will run various system checks first..." would appear in a working config.

I found http://splunk-base.splunk.com/answers/28484/how-can-i-change-the-user-as-which-the-windows-universal..., which is a couple years old and only talks about the forwarder--are the required permissions the same anyway?

Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎03-11-2013 11:18 AM

@cphair,

This is what I did in my testing.

  • Created AD splunk Service account: domain\svc_splunk
  • On the Domain Controller I created a GPO - under Computer Configuration->Policies->Windows->Security Settings->Local Policies/User Rights Assignments
    • Policy: Deny log on Locally, Settings: domain\svc_splunk
    • Policy: Deny log on through Terminal Services, Settings: domain\svc_splunk
    • Policy: Log on as a batch job, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group
    • Policy: Log on as a service, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group

  • Apply GPO to Servers where splunk is installed

When you install splunk:


  • Install splunk as svc_splunk account or other Domain Account. Mostly likely using Runas command. If your service account does not have rights to install with another account. You will have to change file permission

  • Make sure svc_splunk account (service account) has file permissions of full control over $SPLUNK_HOME and all children objects. If you split your WARM and COLD indexes the same will have to been done to those file objects. Make sure inheratance is applied to all children objects.

  • When using Splunk CLI commands always run them under the splunk service account context. If in hieratance is broken and a user such as Administrator starts splunk via cli all new objects will show Administrator as owner and your service account will not have access breaking splunk.

  • You May have to specify additional permission for other windows objects you wish to monitor.

Note: By doing this watch out for NTFS permission issues.

Hope this helps you and/or gets you started. If this does help dont forget to accept or vote this up.

Cheers,

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎03-11-2013 11:18 AM

@cphair,

This is what I did in my testing.

  • Created AD splunk Service account: domain\svc_splunk
  • On the Domain Controller I created a GPO - under Computer Configuration->Policies->Windows->Security Settings->Local Policies/User Rights Assignments
    • Policy: Deny log on Locally, Settings: domain\svc_splunk
    • Policy: Deny log on through Terminal Services, Settings: domain\svc_splunk
    • Policy: Log on as a batch job, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group
    • Policy: Log on as a service, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group

  • Apply GPO to Servers where splunk is installed

When you install splunk:


  • Install splunk as svc_splunk account or other Domain Account. Mostly likely using Runas command. If your service account does not have rights to install with another account. You will have to change file permission

  • Make sure svc_splunk account (service account) has file permissions of full control over $SPLUNK_HOME and all children objects. If you split your WARM and COLD indexes the same will have to been done to those file objects. Make sure inheratance is applied to all children objects.

  • When using Splunk CLI commands always run them under the splunk service account context. If in hieratance is broken and a user such as Administrator starts splunk via cli all new objects will show Administrator as owner and your service account will not have access breaking splunk.

  • You May have to specify additional permission for other windows objects you wish to monitor.

Note: By doing this watch out for NTFS permission issues.

Hope this helps you and/or gets you started. If this does help dont forget to accept or vote this up.

Cheers,

Reply
Solved! Jump to solution

hortonew
Builder
‎08-22-2013 06:20 AM

This was very helpful. The GPO settings get the services to start. You do require full control on the Splunk Root directory and it's children as well, otherwise splunkd will start and auto-stop.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎03-12-2013 08:44 AM

@cphair, make sure to use GPO modeling to ensure GPOs are linked in the correct order and settings are what is expected. Last GPO applied wins.

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎03-12-2013 08:28 AM

Thanks, @bmacias84. I won't be able to look at this for a few days, but I'll check it out and let you know how it goes.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎03-08-2013 12:44 PM

Sure, I have this running in my lab at home. I'll post something by Monday with some of the caveats. Also you might have to grant specific right to folders and other objects expicitly.

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎03-08-2013 12:40 PM

I can't modify the GPO myself, but I might be able to request that it be modified...no promiwses, though. I'd like to know the minimum security requirements needed to make a domain service account work--essentially, if I start with a "normal" user account, what extra permissions does it need to run?

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎03-08-2013 12:36 PM

Ok this is a can of worms since it really depends on you AD enviorment, GPOs, Security restrictions, how limited you want that domain user to be. I've done this successfully, but it also has some caveats. how restrictive do you want it to be and do you have ability to modify GPO?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...