Seems the local system account on Windows (default for Splunk Windows installs) is a very near equivalent of root on Unix, however I don't think that is called out as a security risk the same way as root is.
Great topic. I'd love to see more details in the documentation on best security practices for collection methods. Maybe a matrix?
> Splunk recommends that you don't run as root.
I'm looking for a citation in the online docs, but not finding any specific recommendation. A recommendation from Splunk would be helpful in forming or justifying our own policy. All I have found so far is Run Splunk Enterprise as a different or non-root user
Best practice in general is to run applications as non-admin users whenever possible. This is a defense-in-depth thing - if an attacker were somehow to be able to compromise the Splunk instance in one way or another and access the underlying operating system through it, it's obviously preferable that Splunk (and therefore the attacker in our scenario) doesn't have administrative privileges.