Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Universal Forwarder Windows Install Local User

a_kearney
Path Finder
‎02-01-2024 02:48 AM

Hi

According to the Splunk Docs from version 9.1:

"the installer creates a virtual account as a "least privileged" user called splunkfwd"

After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error:

a_kearney_0-1706783988474.png

Which suggests the account is actually "SplunkForwarder" not "splunkfwd"

When I check the Windows Service Log On user I also see the user "SplunkForwarder":

a_kearney_1-1706784212017.png

 

And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users:

get-service | foreach {Write-Host NT Service\$($_.Name)}

 

Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?

 

Thanks

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-13-2024 11:01 AM

Hi

based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later. 
On Linux that user is splunkfwd as docs told.

r. Ismo

0 Karma
Reply

a_kearney
Path Finder
‎02-13-2024 04:06 AM

In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard:

 

Resolution

For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below:

msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet

by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 

 

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-01-2024 07:21 AM

@a_kearney - I have not upgraded Splunk UF to the latest version yet.

I recommend you create a Splunk support ticket for a quick answer to your question.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...