Splunk Enterprise Security
Highlighted

Any challenges running Splunk ES without admin I should be aware of?

Builder

All,

Per a request from our security team, I moved Splunk to LDAP only and blasted the local admin account. But ES is going crazy about orphanded objects now. Any recommendation?

I was thinking I can get away with creating a service account and reassign the objects there. Will that be fine?

0 Karma
Highlighted

Re: Any challenges running Splunk ES without admin I should be aware of?

Splunk Employee
Splunk Employee

All the ES searches run as admin, which is why everything is broken now 🙂 You are correct that it is fine to reassign all the objects to a service account. See http://docs.splunk.com/Documentation/ES/5.0.0/Install/ConfigureUsersRoles