Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the purpose of Universal Forwarder on Windows - Administrator Credential?

shocko
Contributor
‎02-10-2022 08:50 AM

I'm running Splunk Enterprise 8.2.4. When deploying the Universal Forwarder for Windows (version 8.2.4) and selecting to run it under the Local System account it subsequently asks me for the 'create credentials for the administrator account' as per attached. What is the purpose of this ?

Labels (2)
Tags (1)
Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 09:07 AM

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli  commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 09:07 AM

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli  commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

Reply
Solved! Jump to solution

shocko
Contributor
‎02-15-2022 12:41 PM

The following command will ask for the admin password on windows UF:

  • splunk monitor list

As such, I agree that  the admin password appears to be required for Splunk based auth to run certain commands. Makes a lot of sense actually as separates the software to a degree form the OS auth model. 

0 Karma
Reply
Solved! Jump to solution

shocko
Contributor
‎02-10-2022 10:28 AM

OK but I have run the btool command from the UF (for example) on Windows and have never been prompted for this credential. That said, I'm always logging into my Windows Server System as an OS admin user. 

I MUST specify it using the UI installer though. I can understand that you might use this as follows:

  • You have a script that has standard non-elevated OS user rights on Windows and hence cannot access the underlying conf files
  • You want this script to configure the UF
  • The Splunk forwarder credential used during setup can be assigned to the script for this usage

I will test this hypothesis. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 02:46 PM

Ok, maybe btool doesn't require it (I don't usually run it on UFs so I might nit remember exactly but listing input status needed authenticating for sure)

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-10-2022 08:54 AM

Hi

That is for Splunk’s internal admin user. Normally it’s not used in UF, but time by time there could be some situations when those are useful. 
r. Ismo 

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...