Splunk Enterprise Security

Will I be able to install and run the Splunk App for Enterprise Security on Linux with an LDAP service account?

brent_weaver
Builder

We are installing Splunk on CentOS Linux in the next week or so. Our service accounts are going to be on an LDAP server. Will I be able to install and run the Splunk App for Enterprise Security with an LDAP service account?

0 Karma

tskinnerivsec
Contributor

Since you are referring to an operating system level account and not one within the Splunk application, you will need to use a samba-client component on your Linux server such as winbind. You will install those components and configure it to participate in Active Directory. This will allow you to create an Active Directory synced account on your operating system. Then you can use that account and follow the Splunk installation procedure for installing with a no privileged account.

tskinnerivsec
Contributor

yes you will. You will be able to use a combination of two splunk configuration files, authentication.conf and authorization.conf to configure ldap authentication for Splunk and create/map splunk roles to security groups in Active Directory. Here are two good references covering the ways Splunk can integrate with Active Directory/LDAP, all at the application level, so it won't matter what operating system you are running it on.

http://blogs.splunk.com/2009/08/13/ldap-auth-configuration-tips/

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/ConfiguretheSA-ldapsearchsupport...

0 Karma

brent_weaver
Builder

Hey thank you for your response. I am asking bout the service account at a linux level to install splunk with. So when I install splunk on linux I am not going to use the linux root account, i want to use a splunk account that is on an ldap server. Is this possible and/or even possible?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...