Getting Data In

running splunkd on a search head with a Windows domain account

cphair
Builder

What permissions are required to run Splunk services on a Windows 2008 R2 search head with a domain account? The service was originally installed as local system, and it still runs if I change it to an admin account, but a non-admin account does not work, even with full control on the Splunk installation directory and rights to log on as a service. In a non-working (non-admin) config, the splunkd log ends just before the entry "03-08-2013 14:59:15.012 -0500 INFO loader - win-service: Starting as a Windows service: will run various system checks first..." would appear in a working config.

I found http://splunk-base.splunk.com/answers/28484/how-can-i-change-the-user-as-which-the-windows-universal..., which is a couple years old and only talks about the forwarder--are the required permissions the same anyway?

1 Solution

bmacias84
Champion

@cphair,

This is what I did in my testing.

  • Created AD splunk Service account: domain\svc_splunk
  • On the Domain Controller I created a GPO - under Computer Configuration->Policies->Windows->Security Settings->Local Policies/User Rights Assignments
    • Policy: Deny log on Locally, Settings: domain\svc_splunk
    • Policy: Deny log on through Terminal Services, Settings: domain\svc_splunk
    • Policy: Log on as a batch job, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group
    • Policy: Log on as a service, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group

  • Apply GPO to Servers where splunk is installed

When you install splunk:


  • Install splunk as svc_splunk account or other Domain Account. Mostly likely using Runas command. If your service account does not have rights to install with another account. You will have to change file permission

  • Make sure svc_splunk account (service account) has file permissions of full control over $SPLUNK_HOME and all children objects. If you split your WARM and COLD indexes the same will have to been done to those file objects. Make sure inheratance is applied to all children objects.

  • When using Splunk CLI commands always run them under the splunk service account context. If in hieratance is broken and a user such as Administrator starts splunk via cli all new objects will show Administrator as owner and your service account will not have access breaking splunk.

  • You May have to specify additional permission for other windows objects you wish to monitor.

Note: By doing this watch out for NTFS permission issues.

Hope this helps you and/or gets you started. If this does help dont forget to accept or vote this up.

Cheers,

View solution in original post

bmacias84
Champion

@cphair,

This is what I did in my testing.

  • Created AD splunk Service account: domain\svc_splunk
  • On the Domain Controller I created a GPO - under Computer Configuration->Policies->Windows->Security Settings->Local Policies/User Rights Assignments
    • Policy: Deny log on Locally, Settings: domain\svc_splunk
    • Policy: Deny log on through Terminal Services, Settings: domain\svc_splunk
    • Policy: Log on as a batch job, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group
    • Policy: Log on as a service, Settings: Administrators, domain\local_services, domain\svc_splunk Note: you could add svc_splunk to a security group

  • Apply GPO to Servers where splunk is installed

When you install splunk:


  • Install splunk as svc_splunk account or other Domain Account. Mostly likely using Runas command. If your service account does not have rights to install with another account. You will have to change file permission

  • Make sure svc_splunk account (service account) has file permissions of full control over $SPLUNK_HOME and all children objects. If you split your WARM and COLD indexes the same will have to been done to those file objects. Make sure inheratance is applied to all children objects.

  • When using Splunk CLI commands always run them under the splunk service account context. If in hieratance is broken and a user such as Administrator starts splunk via cli all new objects will show Administrator as owner and your service account will not have access breaking splunk.

  • You May have to specify additional permission for other windows objects you wish to monitor.

Note: By doing this watch out for NTFS permission issues.

Hope this helps you and/or gets you started. If this does help dont forget to accept or vote this up.

Cheers,

hortonew
Builder

This was very helpful. The GPO settings get the services to start. You do require full control on the Splunk Root directory and it's children as well, otherwise splunkd will start and auto-stop.

0 Karma

bmacias84
Champion

@cphair, make sure to use GPO modeling to ensure GPOs are linked in the correct order and settings are what is expected. Last GPO applied wins.

0 Karma

cphair
Builder

Thanks, @bmacias84. I won't be able to look at this for a few days, but I'll check it out and let you know how it goes.

0 Karma

bmacias84
Champion

Sure, I have this running in my lab at home. I'll post something by Monday with some of the caveats. Also you might have to grant specific right to folders and other objects expicitly.

0 Karma

cphair
Builder

I can't modify the GPO myself, but I might be able to request that it be modified...no promiwses, though. I'd like to know the minimum security requirements needed to make a domain service account work--essentially, if I start with a "normal" user account, what extra permissions does it need to run?

0 Karma

bmacias84
Champion

Ok this is a can of worms since it really depends on you AD enviorment, GPOs, Security restrictions, how limited you want that domain user to be. I've done this successfully, but it also has some caveats. how restrictive do you want it to be and do you have ability to modify GPO?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...