Security

MSA - Insufficient privileges to collect resource usage metrics?

vbouc
New Member

Hello,

We decided to run Splunk (Windows) with a MSA (Managed Service Account) with the Minimum permissions requirements from this documentation :
https://docs.splunk.com/Documentation/Splunk/7.3.2/Installation/ChoosetheuserSplunkshouldrunas

This is the privileges we gave to this account :

Required basic permissions for the splunkd or splunkforwarder services

Full control over the Splunk Enterprise installation directory.
Read access to any files that you want to index.

Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

Permission to log on as a service.
Permission to log on as a batch job.
Permission to replace a process-level token.
Permission to act as part of the operating system.
Permission to bypass traverse checking.

So far, it works well. Also, we gave the MSA the "Modify" rights on the whole Splunk folder. Only, there is one problem :
Since we run it as MSA, we get this error :

ERROR IntrospectionGenerator:resource_usage -  RU - Splunk was started with insufficient privileges to collect resource usage metrics. Please modify the service properties to run with Administrator privileges. Exiting.

I've search everywhere, and no one seems to have this error on the web. Is there some documentation explaining the context of this error? Is there some privileges not shown from the Splunk documentation that are missing?

Also, I've noted that the "/var/log/introspection/resource_usage.log" file stopped being fulfill as soon as we activated the MSA.

Thanks in advance

Labels (1)
Tags (1)
0 Karma

ivarny
Path Finder

Did you ever resolve this issue?
I am seeing the same.

 

0 Karma

ivanreis
Builder

My understanding is that you are still having permission issues. Stop splunk service, re-apply the permissions to entire recursively under splunk installation.
you can use icacls windows command to deploy these permissions. this is what I usually used when I had permission issues on the Splunk windows installation
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I believe the command is similar the one below:
icacls C:\splunk_path /grant "yourmsausers" /t

0 Karma

ivanreis
Builder

I forgot to mention to start splunk service after you deploy the permissions. it is important you ran the steps above with the splunk service stopped to guarantee that all the permissions will be redeployed properly.

0 Karma

vbouc
New Member

This exact procedure was done previously.

  1. Stopped Splunk
  2. Changed the owner of Splunk folders to mine so I can change the permission without any problem.
  3. Apply the permissions (No problem was found)
  4. Re-assign owner of Splunk folders to local system.
  5. Started Splunk.

Problem not resolved.

0 Karma

ivanreis
Builder

The issues I had and fixed with Icacls was related with system local account on windows servers. Which is the user you are re-applying those permissions? I believe you have to run this command as administrator.

I found this other command from this link -> https://stackoverflow.com/questions/2928738/how-to-grant-permission-to-users-for-a-directory-using-c...

icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

In some cases, I have to move splunk to other folder, re-apply the permissions, moved again to original folder, and re-deploy the permissions again.
I am not really sure why this happen, but it seems something is prevent or holding the folder to received the correct permission. Make sure the user you are running the command has the proper access to change the permission, as stated on the document, you have to run the permissions as administrator.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...