Installation

Getting "access denied" error during Splunk installation.

Trainsada
Engager

Setting mgmt to port: 9000
Failed to open splunk.secret 'C:\Program Files\Splunk\etc\auth\splunk.secret' file. Some passwords will not work. errno=Access is denied.
Unable to read 'C:\Program Files\Splunk\etc\auth\splunk.secret' file.
Operation "ospath_fopen" failed in C:\wrangler-2.0\build-src\kimono\src\libzero\conf-mutator-locking.c:313, conf_mutator_lock(); No error

Action taken
provided the Read/Write access
Changed the port number
restarted the machine

Labels (1)
Tags (1)
0 Karma

gavsdavs_GR
Path Finder
0 Karma

gavsdavs_GR
Path Finder

"Install as administrator" appears to be an over-simplification.

Scenario: Splunk on Windows, Running a deployment server forwarding to remote indexers. It's installed as a user which is a localmachine administrator, but it's not LOCALSYSTEM\Administator. Lets call it "localsplunkadminuser"

Splunk itself starts and runs fine.

I have a "log into git, pull fresh content if there is any, and run "reload deploy-server" content updater script.
I used to run this as the same localsplunkadminuser, and all was well.

I now am being asked by my local security people to run my "content updater" script as a non local admin (lets call this user "non-admin-content-update-user")

The script knows how to talk to our local password store to get creds to a) log into git, and also b) log into Splunk with an account with the capabilities to run "reload deploy-server" (i.e. a splunk admin)

I have given the non-admin-content-update-user full control over all the files in c:\Program Files\Splunk, so it should have the rights to alter/change any files. It's able to make changes to files that are getting updated in git (i.e files under c:\Program FIles\Splunk\etc\deployment-apps and c:\Program FIles\Splunk\etc\apps )

Unfortunately, when the content updater script is run by non-admin-content-update-user, it gets this error.

2018-11-30 13:51:20,394|ERROR|returncode=63, output="No error
Operation "ospath_fopen" failed in C:\wrangler-2.0\build-src\ivory\src\libzero\conf-mutator-locking.c:313, conf_mutator_lock(); ", restart="False"

So I AM running Splunk as an local machine adminstrator, but I'm trying to ask it to reload deployment server from a non admin user and it won't permit it. Let me be clear, it's not because i'm failing to authenticate to splunk, it's because Splunk doesn't appear to permit a non-admin user to run the splunk binary.

What's the reason here ? Are there any specific rights i can give my non-admin user to let it run "Splunk.exe reload deploy server" ?

Thanks

0 Karma

Trainsada
Engager

Simple. Install as an administrator

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...