What permissions are required to run Splunk services on a Windows 2008 R2 search head with a domain account? The service was originally installed as local system, and it still runs if I change it to an admin account, but a non-admin account does not work, even with full control on the Splunk installation directory and rights to log on as a service. In a non-working (non-admin) config, the splunkd log ends just before the entry "03-08-2013 14:59:15.012 -0500 INFO loader - win-service: Starting as a Windows service: will run various system checks first..." would appear in a working config.
I found http://splunk-base.splunk.com/answers/28484/how-can-i-change-the-user-as-which-the-windows-universal..., which is a couple years old and only talks about the forwarder--are the required permissions the same anyway?
Ok this is a can of worms since it really depends on you AD enviorment, GPOs, Security restrictions, how limited you want that domain user to be. I've done this successfully, but it also has some caveats. how restrictive do you want it to be and do you have ability to modify GPO?
I can't modify the GPO myself, but I might be able to request that it be modified...no promiwses, though. I'd like to know the minimum security requirements needed to make a domain service account work--essentially, if I start with a "normal" user account, what extra permissions does it need to run?
Sure, I have this running in my lab at home. I'll post something by Monday with some of the caveats. Also you might have to grant specific right to folders and other objects expicitly.
This is what I did in my testing.
When you install splunk:
Note: By doing this watch out for NTFS permission issues.
Hope this helps you and/or gets you started. If this does help dont forget to accept or vote this up.
Thanks, @bmacias84. I won't be able to look at this for a few days, but I'll check it out and let you know how it goes.
@cphair, make sure to use GPO modeling to ensure GPOs are linked in the correct order and settings are what is expected. Last GPO applied wins.
This was very helpful. The GPO settings get the services to start. You do require full control on the Splunk Root directory and it's children as well, otherwise splunkd will start and auto-stop.