Installation

Splunk Universal Forwarder Windows Install Local User

a_kearney
Path Finder

Hi

According to the Splunk Docs from version 9.1:

"the installer creates a virtual account as a "least privileged" user called splunkfwd"

After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error:

a_kearney_0-1706783988474.png

Which suggests the account is actually "SplunkForwarder" not "splunkfwd"

When I check the Windows Service Log On user I also see the user "SplunkForwarder":

a_kearney_1-1706784212017.png

 

And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users:

get-service | foreach {Write-Host NT Service\$($_.Name)}

 

Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?

 

Thanks

 

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later. 
On Linux that user is splunkfwd as docs told.

r. Ismo

0 Karma

a_kearney
Path Finder

In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard:

 

Resolution

For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below:

msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet

by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 

 

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@a_kearney - I have not upgraded Splunk UF to the latest version yet.

I recommend you create a Splunk support ticket for a quick answer to your question.

 

I hope this helps!!! Kindly upvote if it does!!

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...