Hi all,
I'm currently doing some tests with UF on Windows 10 hosts. Unfortunately I'm getting an error I was not able to get rid off yet.
When running UF as an user account that is part of the Administrators group, everything is running fine. As we do not want to run the process with full administrative rights, I created a local user "splunk" and gave it the following rights:
- full control over UF directory
- Permission to log on as a service.
- Permission to log on as a batch job.
- Permission to replace a process-level token.
- Permission to act as part of the operating system.
- Permission to bypass traverse checking.
(source: http://docs.splunk.com/Documentation/Splunk/6.6.3/Installation/ChoosetheuserSplunkshouldrunas)
With the non-privileged settings I do get the following messages in splunkd.log with WinRegMon inputs enabled:
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - manageDriver Open SC Manager failed! Error = 5
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - WinRegistryMonitor::StartDriver: Unable to install driver.
Accordingly, I do net get any data from source WinRegMon.
The same configuration seems to be working fine on Windows 7. Anyone had the same issues yet? Tested versions are UF 6.6.3 and UF 7.1.1
... View more