Splunk Enterprise

What is the purpose of Universal Forwarder on Windows - Administrator Credential?

shocko
Contributor

I'm running Splunk Enterprise 8.2.4. When deploying the Universal Forwarder for Windows (version 8.2.4) and selecting to run it under the Local System account it subsequently asks me for the 'create credentials for the administrator account' as per attached. What is the purpose of this ?

Labels (2)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli  commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli  commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

shocko
Contributor

The following command will ask for the admin password on windows UF:

  • splunk monitor list

As such, I agree that  the admin password appears to be required for Splunk based auth to run certain commands. Makes a lot of sense actually as separates the software to a degree form the OS auth model. 

0 Karma

shocko
Contributor

OK but I have run the btool command from the UF (for example) on Windows and have never been prompted for this credential. That said, I'm always logging into my Windows Server System as an OS admin user. 

I MUST specify it using the UI installer though. I can understand that you might use this as follows:

  • You have a script that has standard non-elevated OS user rights on Windows and hence cannot access the underlying conf files
  • You want this script to configure the UF
  • The Splunk forwarder credential used during setup can be assigned to the script for this usage

I will test this hypothesis. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok, maybe btool doesn't require it (I don't usually run it on UFs so I might nit remember exactly but listing input status needed authenticating for sure)

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

That is for Splunk’s internal admin user. Normally it’s not used in UF, but time by time there could be some situations when those are useful. 
r. Ismo 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...