Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User Account that UF wants when installing it- does this have to be a local service account?

TopcaT668
Explorer
‎10-17-2022 11:11 AM

Hi,

Utter Noob here - I apologise for any really silly questions!

I'm installing Universal Forwarder to several machines which will forward data to a further intermediate instance, and then on to Enterprise.

My question is around the User Account that UF wants when I'm installing it.  does this have to be a local service account or can it be a Domain User account?  I'm asking as when I on a domain joined machine, I have created a SplunkAdmin local user, but when I go to the Local Security  Policy > Local Policies>User Rights Assignment > Log in as a service to add the local account the account is not shown, just the Domain accounts and groups.

Does this mean I need to create a Splunk account at the domain (AD) level and use it on all machines where I am installing Splunk Universal Forwarder? 

Thanks any and all help!

Labels (2)
Labels
0 Karma
Reply

TopcaT668
Explorer
‎10-18-2022 05:48 AM

This may be my misunderstanding - I need Splunk UF to be running and exporting data about the machine when no-one is logged on.  There are five machines involved, three which forward logs to a fourth also running UF, which then forwards to a Splunk Enterprise instance.   I am I'll admin quite confused, however I believe (but it is likely wrong) that to allow the service to continue to operate once all human users are logged off it needs a service account?

My next issue if that's true is that these are all Domain Joined, so I don;t seem to be able to create a local machine service account, I may need a domain Managed Service account.  I'm chasing down a rabbit hole I fear! 🙂

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-18-2022 06:16 AM

As @richgalloway mentioned - there are two different accounts at play here.

One is an internal UF's account which is used for authenticating to the running forwarder in case you want to do splunk btool or splunk list monitor or any other things involving the local installation. It's a completely separate account from either your windows (or domain) accounts and your "central" splunk accounts. It's created only on this instance. That's created by the installer during the installation using the username and password supplied by you.

The other account is the user under which the splunk forwarder is running in the system. By default the installer wants to use a Local Service account which is often a good-enough solution in typical cases. In some cases however it might not be OK (for example if you want to query other servers via WMI or read files on network shares within the domain). In this case you can provide credentials for another local or domain account (typically a Managed Service Account or however it was called). And this account must be created beforehand by you or your admin.

Yes, it can be confusing in the beginning. 😉

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 11:59 AM

If I understand correctly, there are two accounts involved.  The first is the one you sign in to the server with and which will also run Splunk.  Splunk recommends using a local service account for that.

The other account is the one the installer wants you to create.  That's a Splunk account and does not go into AD.  It's used to authenticate users performing certain CLI commands.  The account almost always is "admin" and password follows whatever rules you have.

---
If this reply helps you, Karma would be appreciated.
Reply

TopcaT668
Explorer
‎10-18-2022 01:06 AM

Hi and thank you for the reply.

So could I please clarify - during the Universal Forwarder I am asked at one dialogue to enter a username and a password twice, or allow the installer to generate a random password - at that step I am adding a new account which Splunk will use to authenticate user(s) at the CLI.

I suppose that my next question is more a Windows question however I will ask here, with apologies if it is inappropriate:

I have logged into the VM I am installing UF onto using my own domain account, and have installed the Universal Forwarder.  I'm not sure I understand how I create a separate service account to allow Splunk to operate.

 

As always, any and all help very very gratefully received, thank you

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2022 05:25 AM

I've never needed to create a Windows account for Splunk.  Just sign in to the VM as you normally do and run the installer.  The installer does the rest.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...