Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Choose the Windows user Splunk Enterprise should run as

This topic discusses the steps you should take to choose which Windows user Splunk Enterprise should run as when you install Splunk on Windows.

When you run the Windows Splunk Enterprise installer, it presents you with the option to select the user that Splunk should run as. Splunk strongly recommends you read this topic before installing in order to understand the ramifications of choosing the user type.

This topic applies to all versions of Splunk, including Splunk Enterprise and the Splunk universal forwarder. It applies to installing Splunk on Windows only.

The user you choose depends on what you want Splunk Enterprise to monitor

The user Splunk Enterprise runs as determines what it can monitor. The Local System user has access to all data on the local machine, but nothing else. A user other than Local System has access to whatever data you want it to, but you must give the user that access prior to installing Splunk.

If you already know that the computer you're installing Splunk on will not access remote Windows data then you can proceed directly to "Install on Windows" in this manual (or, if you want to install using the command prompt, "Install on Windows via the command line.")

If there is a possibility that you will need to access remote Windows data, or you are not sure, then read on - this topic contains important information about the user you should install Splunk as.

About the "Local System user" and "other user" choices

The basics

The Windows Splunk Enterprise installer provides two ways to install Splunk: as the "Local System" user, or as another existing user on your Windows computer or network, which you designate.

If you intend to do any of the following with Splunk, then you must install Splunk as an "other user":

  • read Event Logs remotely
  • collect performance counters remotely
  • read network shares for log files
  • enumerate the Active Directory schema using Active Directory monitoring

Note: This is not an all-inclusive list.

The user that you specify must, at a minimum:

  • Be a member of the Active Directory domain or forest you wish to monitor (when using AD).
  • Be a member of the local Administrators group on the server you're installing Splunk Enterprise on.
  • Have specific user security rights assigned to it prior to installing Splunk. Read "Minimum permissions requirements" later in this topic for specific information.

Caution: If the user does not have these minimum requirements satisfied, Splunk Enterprise installation might fail. In this case, even if Splunk installation succeeds, Splunk might not run correctly, or at all.

The user also has unique password constraints - read "Splunk user accounts and password concerns" later in this topic for specifics.

If you're not sure which user Splunk Enterprise should run as, then review "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual for additional information on how to configure the Splunk user with the access it needs.

User accounts and password concerns

Another important issue that arises when you install Splunk Enterprise with a user account is that any active password enforcement security policy controls the password's validity. If your Windows server or network enforces password changes, you must consider these things:

  • Before the password expires, change it, reconfigure Splunk Enterprise services on every machine to use the changed password, and then restart Splunk.
  • Configure the account so that its password never expires.
  • Use a managed service account (read "Use managed service accounts on Windows Server 2008 and Windows 7" later in this topic).

Use managed service accounts on Windows Server 2008, Windows Server 2012 and Windows 7

If you run Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows 7 in Active Directory, and your AD domain has at least one Windows Server 2008 R2 or Server 2012 domain controller, you can install Splunk Enterprise to run as a managed service account (MSA).

The major benefits of using a MSA are:

  • Increased security from the isolation of accounts for services.
  • Administrators no longer need to manage the credentials or administer the accounts. This means that, among other things, passwords automatically change after they expire, and you do not have to manually set passwords or restart services associated with these accounts.
  • Administrators can delegate the administration of these accounts to non-administrators.

Some important things to understand before installing Splunk with a MSA are:

  • The MSA requires the same permissions as a domain account on the machine that runs Splunk.
  • The MSA must be a local administrator on the machine that runs Splunk.
  • You cannot use the same account on different computers, as you would with a domain account.
  • You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. For information and instructions on how to do this, review "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet.

To install Splunk Enterprise using a MSA, read "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual.

Security and remote access considerations

Minimum permissions requirements

If you choose to install Splunk as a domain user, then there are a minimum number of permissions required on the server that runs Splunk.

The following is a list of the minimum user rights and permissions that the splunkd, splunkweb, and splunkforwarder services require when Splunk is installed using a domain user. Depending on the sources of data you want to monitor, the Splunk user might need a significant amount of additional permissions.

Required basic permissions for the splunkd or splunkforwarder services

  • Full control over Splunk's installation directory
  • Read access to any flat files you want to index

Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

  • Permission to log on as a service
  • Permission to log on as a batch job
  • Permission to replace a process-level token
  • Permission to act as part of the operating system
  • Permission to bypass traverse checking

Important: Failure to assign these permissions to the Splunk user prior to installation can result in a failed Splunk install, or an installation which does not function correctly, or at all.

Required basic permissions for the splunkweb service

  • Full control over Splunk's installation directory

Required Local/Domain Security Policy user rights assignments for the splunkweb service

  • Permission to log on as a service

Note: Splunk Enterprise does not require these permissions when it runs as the Local System account.

How to assign these permissions

This section contains high-level concepts on how to assign the appropriate user rights and permissions to the Splunk service account before attempting to install. For step-by-step instructions, read "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual.

Use Group Policy to assign rights to multiple machines

If you want to assign the policy settings shown above to a number of workstations and servers in your AD domain or forest, you can define a Group Policy object (GPO) with these specific rights, and deploy that GPO across the domain. Read "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual for specific instructions.

Once you've created and enabled the GPO, the workstations and servers in your domain pick up the changes either during the next scheduled AD replication cycle (usually every 1 1/2 to 2 hours) or at the next boot time. Alternatively, you can force AD replication using the GPUPDATE command line utility on the server on which you want to update Group Policy.

When setting user rights, remember that rights assigned by a GPO override identical Local Security Policy rights on a machine, and you can't change this setting. If you wish to retain previously existing rights that are explicitly defined through Local Security Policy on a machine, you must also assign these rights within the GPO.

Troubleshoot permissions issues

The rights described above are the rights that the splunkd, splunkweb, and splunkforwarder services specifically require. Other rights might be needed, depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Process Monitor or GPRESULT to troubleshoot GPO application in your environment.

PREVIOUS
Summary of performance recommendations
  NEXT
Prepare your Windows network for an installation as a network or domain user

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters