Installation Manual

 


Install on Windows

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Install on Windows

This topic describes the procedure for installing Splunk on Windows with the Graphical User Interface (GUI)-based installer. More options (such as silent installation) are available if you install from the command line.

Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you attempt to run the 32-bit installer on a 64-bit system, the installer will warn you of this.

If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

Upgrading?

If you are upgrading, review the upgrade documentation later in this manual and check READ THIS FIRST for any migration considerations before proceeding.

Splunk for Windows and anti-virus software

Splunk's indexing subsystem requires lots of disk I/O bandwidth. Any software with a device driver that intermediates between Splunk and the operating system can rob Splunk of processing power, causing slowness and even an unresponsive system. This includes anti-virus software.

It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes, before starting a Splunk installation.

Choose the user Splunk should run as

When you run the Splunk Windows installer, you are given the option to select the user that Splunk will run as.

If you install as the Local System user, Splunk will have access to all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design.

If you intend to do any of the following things, you must give Splunk a domain account:

  • read Event Logs remotely
  • collect performance counters remotely
  • read network shares for log files
  • enumerate the Active Directory schema using Active Directory monitoring

The domain account you use must be a member of the Active Directory domain you wish to monitor. It must also be a member of the local Administrators group.

Note: Splunk might not function properly if the Splunk user is not a local administrator on computers running versions of Windows prior to Windows Server 2008.

If you're not sure which account to run Splunk under, speak with your Windows domain administrator about the best way to proceed. If you are the domain administrator, then review "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual for additional information on how to configure your Splunk user with the access it needs.

Important: If you decide to change the user Splunk runs as after you have installed, you must ensure that the new account:

  • Has the necessary resource access rights.
  • Is a member of the machine's local Administrators group.
  • Has "Full Control" permissions to the %SPLUNK_HOME% directory and all its subdirectories.

Managed service accounts on Windows Server 2008 and Windows 7

If you run WIndows Server 2008, Windows Server 2008 R2 or Windows 7, and your domain is properly configured or has at least one Windows Server 2008 R2 domain controller present, you can use managed server accounts (MSA) on your Splunk instance.

The major benefits of using a MSA are:

  • Increased security from the isolation of accounts for services.
  • Administrators no longer need to manage the credentials or administer service principle names (SPNs).
  • Administrators can delegate the administration of these accounts to non-administrators.

Some important things to understand before installing Splunk under a MSA are:

  • The MSA requires the same permissions as a domain account on the machine that runs Splunk.
  • The MSA must be a local administrator on the machine that runs Splunk.
  • You cannot use the same account on different computers, as you would with a domain account.
  • You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. For information and instructions on how to do this, review "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet.

To install Splunk using a managed service account:

1. Ensure that the MSA you plan to use is properly installed and configured.

Important: The MSA must have appropriate rights configured for the Windows resources you need to monitor, and must also be a local Administrator on the machine that runs Splunk.

2. Install Splunk from the command line as the "Local System" user.

Important: You must use the LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed.

3. After installation is complete, use the Windows Explorer or the ICACLS command line utility to grant the MSA "Full Control" permissions to the Splunk installation directory and all its sub-directories.

4. Follow the instructions in the topic "Correct the user selected during Windows installation" in this manual. In this instance, the correct user is the MSA you configured prior to installing Splunk.

Important: You must append a dollar sign ($) to the end of the username when completing Step 4 in order for the MSA to work correctly. For example, if the MSA is SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the appropriate field in the properties dialog for the service. You must do this for both the splunkd and splunkweb services.

5. Make sure that the MSA has the "Log on as a service" right.

6. Restart Splunk. Splunk will run as the MSA configured above, and will have access to all data the MSA has access to.

Security and remote access considerations

In the interests of security, Splunk strongly recommends that you take the following steps when assigning rights for the Splunk user:

  • Create a domain group that the Splunk user will be a member of.
  • Place the Splunk user into this group.
  • Then, place that group into local groups on member servers or workstations.

This helps maintain security integrity and makes it a lot easier to control access in the event of a breach or site-wide security change.

Minimum permissions required to run Splunk as a user other than Local System

The following is a list of the minimum local permissions required for the splunkd and splunkweb services, when Splunk is installed using a user. Depending on the sources of data you need to access, the Splunk user might need a significant amount of additional permissions.

Required basic permissions for the splunkd service:

  • Full control over Splunk's installation directory
  • Read access to any flat files you want to index

Required Local Security Policy user rights assignments for the splunkd service:

  • Permission to log on as a service
  • Permission to log on as a batch job
  • Permission to replace a process-level token
  • Permission to act as part of the operating system
  • Permission to bypass traverse checking

Required basic permissions for the splunkweb service:

  • Full control over Splunk's installation directory

Required Local Security Policy user rights assignments for the splunkweb service:

  • Permission to log on as a service

Note: These permissions are not required when Splunk runs as the Local System account.

Use Group Policy to assign user rights to multiple machines

If you want to assign the policy settings shown above to a number of workstations and servers in your AD domain or forest, you can define a Group Policy object (GPO) with these specific rights, and deploy that GPO across the domain or forest using the Domain Security Policy Microsoft Management Console (MMC) snap-in. For domain controllers, use the Domain Controller Security Policy snap-in.

Once you've created and enabled the GPO, the workstations and member servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 2-3 hours) or at the next boot time.

Remember that identical Local Security Policy user rights defined on a workstation or member server are overridden by the rights inherited from a GPO, and you can't change this setting. If you wish to retain previously existing rights that are explicitly defined through Local Security Policy on your member servers, they'll also need to be assigned within the GPO.

If you accidentally specify the wrong user the first time you install

If you specified the wrong user during the installation procedure, you'll see two popup error dialogs telling you this. Complete the installation and then use these instructions to switch to the correct user. You must not start Splunk before doing this.

Troubleshoot permissions issues

The rights described above are the rights that the splunkd and splunkweb services specifically invoke. Other rights might be required, depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Process Monitor to troubleshoot your environment.

You can use the GPRESULT command line tool or the Group Policy Management Console (GPMC) to troubleshoot issues related to GPO application in your enterprise. As a last resort, you can revert to running the splunkd service under a domain administrator or equivalent account.

Install Splunk via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.

The Destination Folder panel is displayed.

Note: Splunk is installed by default into \Program Files\Splunk on the system drive. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set.

4. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.

The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk with Local System credentials, or provide a specific account. That account should have local administrator privileges, plus appropriate domain permissions if you are collecting data from other machines.

The user Splunk runs as must have permissions to:

  • Run as a service.
  • Read whatever files you are configuring it to monitor.
  • Collect performance or other WMI data.
  • Write to Splunk's directory.

Note: If you install as the Local System user, some network resources will not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Only local data collection with WMI will be available. Contact your systems administrator for advice if you are unsure what account to specify.

5. Select a user type and click Next.

If you specified the local system user, proceed to step 7. Otherwise, the Logon Information: specify a username and password panel is displayed.

6. Specify a username and password to install and run Splunk and click Next.

Note: This must be a valid user in your security context. Splunk cannot start without a valid username and password.

The pre-installation summary panel is displayed.

7. Click Install to proceed.

The installer runs and displays the Installation Complete panel.

Caution: If you specified the wrong user during the installation procedure, you will see two popup error windows explaining this. If this occurs, Splunk installs itself as the local system user by default. Splunk will not start automatically in this situation. You can proceed through the final panel of the installation, but uncheck the "Launch browser with Splunk" checkbox to prevent your browser from launching. Then, use these instructions to switch to the correct user before starting Splunk.

8. If desired, check the boxes to Launch browser with Splunk and Create Start Menu Shortcut now. Click Finish.

The installation completes, Splunk starts, and Splunk Web launches in a supported browser if you checked the appropriate box.

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

  • Click the Splunk icon in Start > Programs > Splunk

or

Log in using the default credentials: username: admin and password: changeme.

The first time you log into Splunk successfully, you'll be prompted right away to change your password. You can do so by entering a new password and clicking the Change password button, or you can do it later by clicking the Skip button.

Note: If you do not change your password, remember that anyone who has access to the machine can access your Splunk instance. Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Avoid IE Enhanced Security pop-ups

If you're using Internet Explorer to access Splunk, add the following URLs to the allowed Intranet group or fully trusted group to avoid getting "Enhanced Security" pop-ups:

  • quickdraw.splunk.com
  • the URL of your Splunk instance

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port, you can change the defaults.

To change the splunk web service port:

  • Open a command prompt.
  • Change to the %SPLUNK_HOME%\bin directory.
  • Type in splunk set web-port #### and press Enter.

To change the splunkd port:

  • Open a command prompt, if one isn't already.
  • Change to the %SPLUNK_HOME%\bin directory.
  • Type in splunk set splunkd-port #### and press Enter.

Note: If you specify a port and that port is not available, or if the default port is unavailable, Splunk will automatically select the next available port.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

What's next?

Now that you've installed Splunk, you can find out what comes next, or you can review these topics in the Getting Data In Manual for information on adding Windows data to Splunk:

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!