Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Universal Forwarder Windows Install Local User

a_kearney
Path Finder
‎02-01-2024 02:48 AM

Hi

According to the Splunk Docs from version 9.1:

"the installer creates a virtual account as a "least privileged" user called splunkfwd"

After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error:

a_kearney_0-1706783988474.png

Which suggests the account is actually "SplunkForwarder" not "splunkfwd"

When I check the Windows Service Log On user I also see the user "SplunkForwarder":

a_kearney_1-1706784212017.png

 

And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users:

get-service | foreach {Write-Host NT Service\$($_.Name)}

 

Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?

 

Thanks

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-13-2024 11:01 AM

Hi

based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later. 
On Linux that user is splunkfwd as docs told.

r. Ismo

0 Karma
Reply

a_kearney
Path Finder
‎02-13-2024 04:06 AM

In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard:

 

Resolution

For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below:

msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet

by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 

 

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-01-2024 07:21 AM

@a_kearney - I have not upgraded Splunk UF to the latest version yet.

I recommend you create a Splunk support ticket for a quick answer to your question.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...