Installation

Getting "access denied" error during Splunk installation.

Trainsada
Engager

Setting mgmt to port: 9000
Failed to open splunk.secret 'C:\Program Files\Splunk\etc\auth\splunk.secret' file. Some passwords will not work. errno=Access is denied.
Unable to read 'C:\Program Files\Splunk\etc\auth\splunk.secret' file.
Operation "ospath_fopen" failed in C:\wrangler-2.0\build-src\kimono\src\libzero\conf-mutator-locking.c:313, conf_mutator_lock(); No error

Action taken
provided the Read/Write access
Changed the port number
restarted the machine

Labels (1)
Tags (1)
0 Karma

gavsdavs_GR
Path Finder
0 Karma

gavsdavs_GR
Path Finder

"Install as administrator" appears to be an over-simplification.

Scenario: Splunk on Windows, Running a deployment server forwarding to remote indexers. It's installed as a user which is a localmachine administrator, but it's not LOCALSYSTEM\Administator. Lets call it "localsplunkadminuser"

Splunk itself starts and runs fine.

I have a "log into git, pull fresh content if there is any, and run "reload deploy-server" content updater script.
I used to run this as the same localsplunkadminuser, and all was well.

I now am being asked by my local security people to run my "content updater" script as a non local admin (lets call this user "non-admin-content-update-user")

The script knows how to talk to our local password store to get creds to a) log into git, and also b) log into Splunk with an account with the capabilities to run "reload deploy-server" (i.e. a splunk admin)

I have given the non-admin-content-update-user full control over all the files in c:\Program Files\Splunk, so it should have the rights to alter/change any files. It's able to make changes to files that are getting updated in git (i.e files under c:\Program FIles\Splunk\etc\deployment-apps and c:\Program FIles\Splunk\etc\apps )

Unfortunately, when the content updater script is run by non-admin-content-update-user, it gets this error.

2018-11-30 13:51:20,394|ERROR|returncode=63, output="No error
Operation "ospath_fopen" failed in C:\wrangler-2.0\build-src\ivory\src\libzero\conf-mutator-locking.c:313, conf_mutator_lock(); ", restart="False"

So I AM running Splunk as an local machine adminstrator, but I'm trying to ask it to reload deployment server from a non admin user and it won't permit it. Let me be clear, it's not because i'm failing to authenticate to splunk, it's because Splunk doesn't appear to permit a non-admin user to run the splunk binary.

What's the reason here ? Are there any specific rights i can give my non-admin user to let it run "Splunk.exe reload deploy server" ?

Thanks

0 Karma

Trainsada
Engager

Simple. Install as an administrator

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...