Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk UF install via Intune

Steven73
Observer
‎02-15-2024 04:34 AM

Looking for some advice please!

I have pushed Splunk UF via MS Intune to all domain laptops. All looks well with config file and settings for reporting server and ports set.

On an example machine, go to services, SplunkForwarder is running.

These logs are meant to be pushed to our CyberDefence 3rd party.  However, it seems Splunk has no rights to send logs (possibly due to 'Log on' as settings in SplunkForwarder service).

Has anyone ever encountered this before and resolved, or completed Spunk UF install via Intune?

Labels (1)
Labels
0 Karma
Reply

tkopchak
SplunkTrust
SplunkTrust
‎04-04-2024 06:22 AM

Recent versions of the Splunk Universal Forwarder install with a least privileged user that doesn't have the ability to pull Windows event logs by default.  This is different from older versions of the UF which worked differently and could pull all logs by default.  

I'm not familiar with what you can do with Intune, but do you have the ability to specify command line arguments to run with the deployment? I'm thinking you may need to add something like WINEVENTLOG_SEC_ENABLE=1 (or similar). 

See https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfro... for details along with other supported options. 

0 Karma
Reply

jai1989
New Member
‎04-04-2024 03:05 AM

Hi Steven,

I am trying to push SPLUNK UF to Windows and MAC laptops.

Can you please the steps how you did through Intune. It would be lot helpful

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 06:20 AM

The configs may *look* well, but maybe they aren't.  Share the inputs.conf and outputs.conf settings for a second opinion.

What gave you the impression that Splunk has no rights to send logs?

How are you attempting to send data to the third-party tool?  Have you seen https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...