Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Universal Forwarder Windows Install Local User

a_kearney
Path Finder
‎02-01-2024 02:48 AM

Hi

According to the Splunk Docs from version 9.1:

"the installer creates a virtual account as a "least privileged" user called splunkfwd"

After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error:

a_kearney_0-1706783988474.png

Which suggests the account is actually "SplunkForwarder" not "splunkfwd"

When I check the Windows Service Log On user I also see the user "SplunkForwarder":

a_kearney_1-1706784212017.png

 

And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users:

get-service | foreach {Write-Host NT Service\$($_.Name)}

 

Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?

 

Thanks

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-13-2024 11:01 AM

Hi

based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later. 
On Linux that user is splunkfwd as docs told.

r. Ismo

0 Karma
Reply

a_kearney
Path Finder
‎02-13-2024 04:06 AM

In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard:

 

Resolution

For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below:

msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet

by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 

 

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-01-2024 07:21 AM

@a_kearney - I have not upgraded Splunk UF to the latest version yet.

I recommend you create a Splunk support ticket for a quick answer to your question.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...