Solved: What is the purpose of Universal Forwarder on Wind...

shocko · ‎02-10-2022

I'm running Splunk Enterprise 8.2.4. When deploying the Universal Forwarder for Windows (version 8.2.4) and selecting to run it under the Local System account it subsequently asks me for the 'create credentials for the administrator account' as per attached. What is the purpose of this ?

PickleRick · ‎02-10-2022

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

View solution in original post

PickleRick · ‎02-10-2022

It's a misunderstanding. One thing is the windows user the application runs with - Local System or a particular local/domain account. That's configured on a previous screen.

What you're showing is a local splunk uf user - it's a internal splunk authentication method. It's needed if you - for example run splunk btool command or create inputs/outputs by means of cli commands. You have to provide this user's credentials in order to manipulate splunk installation.

So you might run UF as Local System or Your_Domain\splunk or whatever user you want but you create a user _within splunk uf_ for some administrative tasks.

shocko · ‎02-15-2022

The following command will ask for the admin password on windows UF:

splunk monitor list

As such, I agree that the admin password appears to be required for Splunk based auth to run certain commands. Makes a lot of sense actually as separates the software to a degree form the OS auth model.

shocko · ‎02-10-2022

OK but I have run the btool command from the UF (for example) on Windows and have never been prompted for this credential. That said, I'm always logging into my Windows Server System as an OS admin user.

I MUST specify it using the UI installer though. I can understand that you might use this as follows:

You have a script that has standard non-elevated OS user rights on Windows and hence cannot access the underlying conf files
You want this script to configure the UF
The Splunk forwarder credential used during setup can be assigned to the script for this usage

I will test this hypothesis.

PickleRick · ‎02-10-2022

Ok, maybe btool doesn't require it (I don't usually run it on UFs so I might nit remember exactly but listing input status needed authenticating for sure)

isoutamo · ‎02-10-2022

Hi

That is for Splunk’s internal admin user. Normally it’s not used in UF, but time by time there could be some situations when those are useful.
r. Ismo

What is the purpose of Universal Forwarder on Windows - Administrator Credential?

troubleshooting

using Splunk Enterprise

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?