All Apps and Add-ons

Are there permissions for splunk user on universal forwarder for Windows?

akyz
Explorer
We're deploying the Windows Universal Forwarder add-on to our environment and are using a gMSA. We have configured the basic permissions outlined here Choose the Windows user Splunk Enterprise should run as - Splunk Documentation. While we are now getting event log data ingested into Splunk Enterprise we do not see all the event log data. I believe we're missing Security. Is there any extra security permissions we're missing?
 
 
Labels (3)
0 Karma
1 Solution

akyz
Explorer

Thanks for your inputs and replies. I was able to figure it out by granting the gMSA that we have running the Universal Forwarder service read/write permissions to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

Once that was done all the security logs were flowing into our indexer.

Thank you.

View solution in original post

0 Karma

akyz
Explorer

Yes the data inputs are defined and all event logs are selected. 

Yeah I See the local event log readers group going to try that out. Does Splunk have any sort of documentation explaining all the permissions that are needed to properly ingest the data?

0 Karma

PickleRick
Ultra Champion

The article you cited gives a pretty good description of permissions and privileges needed for UF to run. But the permissions to specific event logs is another cup of tea... It's more of a "windows knowledge" than splunk knowledge. I remember having spent whole day until I found the logreaders group (but I was pulling logs with WMI).

0 Karma

PickleRick
Ultra Champion

Stupid question - do you have an input defined for the Security eventlog?

But if you do (that was just a quick check to see if you hadn't forgotten it) did you add your splunk user to the ACL on the Security eventlog? It's very ugly and it's done in the Registry by means of SDDL. So it's often way easier to just add your splunk user to local Eventlog Readers group (or something similarily named).

0 Karma

akyz
Explorer

Thanks for your inputs and replies. I was able to figure it out by granting the gMSA that we have running the Universal Forwarder service read/write permissions to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

Once that was done all the security logs were flowing into our indexer.

Thank you.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...