Installation

Splunk Universal Forwarder Windows Install Local User

a_kearney
Path Finder

Hi

According to the Splunk Docs from version 9.1:

"the installer creates a virtual account as a "least privileged" user called splunkfwd"

After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error:

a_kearney_0-1706783988474.png

Which suggests the account is actually "SplunkForwarder" not "splunkfwd"

When I check the Windows Service Log On user I also see the user "SplunkForwarder":

a_kearney_1-1706784212017.png

 

And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users:

get-service | foreach {Write-Host NT Service\$($_.Name)}

 

Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?

 

Thanks

 

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later. 
On Linux that user is splunkfwd as docs told.

r. Ismo

0 Karma

a_kearney
Path Finder

In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard:

 

Resolution

For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below:

msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet

by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 

 

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@a_kearney - I have not upgraded Splunk UF to the latest version yet.

I recommend you create a Splunk support ticket for a quick answer to your question.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...