Create service accounts
Configure users and roles for your VMware environment
To create service accounts for the Splunk for VMware solution, you first need to create vCenter and ESX/i users, create roles, and then assign the users to the roles. This topic shows you how you can do this.
Create users
A user is required for authentication and is assigned a role in later steps for authorization. The following steps show how to create local users. If you are using ActiveDirectory for authentication on your Windows OS (vCenter) machines and / or your ESX/i hosts, please skip to the "Make users in ActiveDirectory" section below.
Make local users on your Windows OS (vCenter) machines
Perform these steps to create a local user on each of your vCenter machines.
- Log into the Windows OS with an administrator account.
- Open the WindowsStart menu, then click Control Panel.
- In the User Accounts screen, click Add or remove user accounts.
- In the Manage Accounts window, click Create a new account.
- Enter a name for the account (e.g. splunksvc) and select Standard user. Note if you add the new user as Administrator the user will automatically have an Administrator role in vSphere and a lesser role assigned to it will have no effect.
- Click Create Account.
- In the Manage Accounts screen now click on your new user.
- In the Change an Account screen, click Create a password and assign the user a password.
- The new user account is displayed as a Standard user and the account shows that it is Password protected.
- You now have a local Windows user compatible with the vSphere permissions system.
See Microsoft Windows documentation for further information.
Make local users on your ESX/i hosts
You can manually create local ESX/i users on a per host basis or you can automatically create users using the Installation tools provided with the FA VM.
To manually create a user for a particular hosts:
- Open up the vSphere client and connect to the ESX/i machine where you want to create the user.
- Go to the Local Users & Groups tab for the ESX/i machine in the inventory screen.
- Right click in the list of users and click add from the context menu.
- Under User Information enter a login name (e.g. splunksvc) and optionally a user name. The login, NOT the user name, will be what you'll use for authentication. The user name is just a more readable string for display purposes.
- Under Enter Password enter a password and ensure it meets your minimum password requirements, usually a character count and two different types of characters.
- Leave Group Membership untouched, the user will be auto-assigned to the group users.
- Click OK and you should see your user in the list of users. If so, then you are done.
Make users in ActiveDirectory
In a VMware environment, it is possible to join your Windows OS (vCenter) machines and your ESX/i hosts to an ActiveDirectory domain for authentication. Service accounts have to be created on all vCenter machines and ESX/i hosts for the Splunk for VMware solution to work properly. If any of your machines are not configured to use AD authentication, then you must create a "local" user on each one (see the relevant sections above for steps on how to do that).
For machines that are participating in an AD domain, you must create a service account in the given domain using the appropriate control panel in Windows Server. Most VMware environments use a single AD domain for authentication. However, if you are using multiple AD domains, then you must create a service account in each domain that your VMware environment is using.
Important: When setting up an AD service account for the Splunk for VMware solution, the user must be given the permission to "Log on locally". This is needed in order to let the vCenter (Windows) service to authenticate the credentials when it receives an HTTPS connection from the FA VM. We are not exactly sure why this permission is needed. In the future it may be possible to remove this permission from the service account. We are in the process of researching to see if there is a way to remove this permission as a requirement. But for now, local logon permissions must be supplied to make the solution work properly.
The exact steps for creating a service account within AD can vary quite a bit depending upon your specific environment. Detailed steps are therefore beyond the scope of this document - please see your AD administrator to learn how to do this correctly for your environment. Here is an article that also may be helpful: http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html.
After you have created the necessary service account(s) in AD, you must still create the required role and map it to the service account you just created in AD. The steps are the same as for local accounts; simply follow the instructions below.
Create roles
You need to create roles on each vCenter and each ESX/i host independently. The procedure for doing so is the same for both vCenters and ESX/i hosts. To create roles:
- Open up the vSphere client and connect to the ESX/i host or vCenter where you want to create the role. You must log in with a user that has administrative rights.
- Click Home in the path bar.
- Under Administration click Roles.
- Right click under the list of roles and click Add... from the context menu.
- Enter a name for the role (e.g. splunkreader) in the Add New Role window.
- Select the appropriate permissions for the role (see Required permissions in vSphere below). You may need to expand the tree to find the permissions you seek:
- Click OK and you should see your role in the list of roles. If so, then you're done!
Required permissions in vSphere
The following table lists the Permissions in vSphere required for the methods/properties that the Forwarder Appliances invoke and or read:
Permission |
---|
Global.Diagnostics |
Global.Licenses |
Global.Settings |
Host.Configuration.Change SNMP settings |
Host.Configuration.Hyperthreading |
Host.Configuration.Memory configuration |
Host.Configuration.Network configuration |
Host.Configuration.Power† |
Host.Configuration.Security profile and firewall |
Host.Configuration.Storage partition configuration |
Sessions.View and stop sessions |
Virtual machine.Provisioning.Read customization specifications |
†Applies to VMware 4.1 only
Assign users to roles
- Open the vSphere client and connect to the vCenter or ESX/i host that contains the user and role you created and now want to link together.
- Go to the Home->Inventory->Inventory screen on an ESX/i host or the Home->Inventory->Hosts and Clusters screen on a vCenter.
- Right-click on the root object in the tree on the left and click "Add Permission" from the context menu.
- On the left of the Assign Permissions window, under Users and Groups click Add...
- Select the user you wish to assign a role to (e.g. splunksvc) from the list box and click Add then click OK.
- On the right of the Assign Permissions window, under Assigned Role select the role you wish to assign to the user from the pull down menu (e.g. splunkreader).
- Make sure the Propagate to Child Objects check box is ticked, without it your user will not have all of the necessary permissions.
- Click OK and verify that your user is listed on the permissions tab and has the role you assigned.
Verifying log in credentials
Now that you have have service accounts set up on each VC and ESX/i host in your environment, you can verify that you set up your user credentials correctly for each one. To test that your credentials work correctly on a target machine, you can point the vSphere client at the machine or you can use a web browser to access its Managed Object Browser (MOB).
To validate credentials for a target machine using the MOB, provide the initial URL of that machine (hostname) with /mob appended to the end:
https://<IP or DNS hostname of vCenter server or ESX/i host>/mob
You will be presented with a login dialog box, similar to the one shown here:
In some cases you may need to "add a security exception" in the browser to display the login dialog box. For the specific VC or ESX/i host that you are verifying, enter the corresponding username / password combination for that VC or ESX/i host.
Important: Do this validation step for each VC or ESX/i host that you created a service account for in the steps above. Creating a service account for a VC and validating that it works on the VC does not mean that it will also work on the ESX/i hosts in your environment. VC and ESX/i hosts have completely independent security subsystems. You must do the creation / mapping steps, as shown in this topic, for each VC and ESX/i host independently, and validate each one independently.
The service account credentials (username / password) you use to access the MOB are the same credentials used by the FA to get VMware data. You will use these credentials in your engine.conf and / or credentials.conf file(s) in a later installation step. If the credentials are not properly verified, the solution will not work properly. Although login problems are placed into the solution logs, they are nonetheless a pain to diagnose after the fact. It is much easier to make sure the service account credentials work properly beforehand.
If your login is not successful, then it will simply display the login box again with no further indication of failure. Try re-entering your username / password combination a few times to ensure that a typing error is not preventing you from accessing the MOB. If your login remains unsuccessful, retrace the steps you followed to create the service accounts. Multiple failures usually indicates that there was a problem setting up the credentials when you created the user account, role, or mapping the permissions. Re-trace your creation steps (above) for this particular machine to fix the issue.
If you are successful logging into the MOB, then a Web page similar to the following is displayed for each VC or ESX/i host:
Congratulations! Your service account is set up correctly! Now just remember to do this for each VC and ESX/i host that you will add to the Splunk for VMware Solution and you will be all set.
Note: You can also test that you created valid user credentials by logging into the VC machine or ESX/i host using the vSphere Client. If you can point the vSphere Client at each machine and log in successfully using the corresponding credentials, then you have correctly set up the service account. If is effectively the same as logging into the target machine's MOB.
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1
Feedback submitted, thanks!