- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Running Splunkd as a gMSA
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running Splunkd as a gMSA
Has anyone had success with running the Splunkd service on a HeavyForwarder using a gMSA (Group Managed Service account)?
I am using the gMSA account on the HeavyForwarder already for other services and this is working, but when i try run the Splunkd service as a gMSA i get various issues.
The gMSA is also in the local Administrator group.
The service starts but there are permission issues... Mongo fails to start, KVStore issues etc...
splunkd.log
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\disk_objects.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\http_event_collector_metrics.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\kvstore.log": Access is denied.
06-29-2018 10:06:18.557 +0100 ERROR Logger - Failed opening "C:\Program Files\Splunk\var\log\introspection\resource_usage.log": Access is denied.
06-29-2018 10:08:22.999 +0100 ERROR KVStoreConfigurationProvider - Could not get ping from mongod.
06-29-2018 10:08:22.999 +0100 ERROR KVStoreConfigurationProvider - Could not start mongo instance. Initialization failed.
06-29-2018 10:08:22.999 +0100 ERROR KVStoreBulletinBoardManager - Failed to start KV Store process. See mongod.log and splunkd.log for details.
mongod.log
2018-06-29T09:08:12.347Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, disabledProtocols: "noTLS1_0,noTLS1_1", mode: "requireSSL", sslCipherConfig: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RS..." } }, replication: { oplogSizeMB: 200, replSet: "E98BF268-F1CB-4CF1-945B" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }
2018-06-29T09:08:12.348Z I STORAGE [initandlisten] exception in initAndListen: 98 Unable to create/open lock file: C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\mongod.lock errno:5 Access is denied.. Is a mongod instance already running?, terminating
What permissions are necessary for a gMSA?
This page talks about service accounts but not specifically about gMSA's
Any help would be appreciated.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
