Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Choose the Windows user Splunk should run as

This topic discusses the steps you should take to choose which Windows user Splunk should run as when you install Splunk on Windows.

When you run the Splunk Windows installer, it presents you with the option to select the user that Splunk should run as. Splunk strongly recommends you read this topic before installing in order to understand the ramifications of choosing the user type.

This topic applies to all versions of Splunk, including Splunk Enterprise and the Splunk universal forwarder. It applies to installing Splunk on Windows only.

The Splunk user you choose depends on what you want Splunk to monitor

The user Splunk runs as determines what it can monitor. The Local System user has access to all data on the local machine, but nothing else. A user other than Local System has access to whatever data you want it to, but you must give the user that access prior to installing Splunk.

If you already know that the computer you're installing Splunk on will not access remote Windows data then you can proceed directly to "Install on Windows" in this manual (or, if you want to install using the command prompt, "Install on Windows via the command line.")

If there is a possibility that you will need to access remote Windows data, or you are not sure, then read on - this topic contains important information about the user you should install Splunk as.

About the "Local System user" and "other user" choices

The basics

The Windows Splunk installer provides two ways to install Splunk: as the "Local System" user, or as another existing user on your Windows computer or network, which you designate.

If you intend to do any of the following with Splunk, then you must install Splunk as an "other user":

  • read Event Logs remotely
  • collect performance counters remotely
  • read network shares for log files
  • enumerate the Active Directory schema using Active Directory monitoring

Note: This is not an all-inclusive list.

The user that you specify must, at a minimum:

  • Be a member of the Active Directory domain or forest you wish to monitor (when using AD).
  • Be a member of the local Administrators group on the server you're installing Splunk on.
  • Have specific user security rights assigned to it prior to installing Splunk. Read "Minimum permissions requirements" later in this topic for specific information.

Caution: If the Splunk user does not have these minimum requirements satisfied, Splunk installation might fail. In this case, even if Splunk installation succeeds, Splunk might not run correctly, or at all.

The Splunk user also has unique password constraints - read "Splunk user accounts and password concerns" later in this topic for specifics.

If you're not sure which user Splunk should run as, then review "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual for additional information on how to configure the Splunk user with the access it needs.

Splunk user accounts and password concerns

Another important issue that arises when you install Splunk with a user account is that any active password enforcement policy controls the password's validity. If your network enforces password changes, you must consider these things:

  • Before the password expires, change it, reconfigure Splunk services on every machine to use the changed password, and then restart Splunk.
  • Configure the account so that its password never expires.
  • Use a managed service account (read "Use managed service accounts on Windows Server 2008 and Windows 7" later in this topic).

Use managed service accounts on Windows Server 2008, Windows Server 2012 and Windows 7

If you run Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows 7 in Active Directory, and your AD domain has at least one Windows Server 2008 R2 or Server 2012 domain controller, you can install Splunk to run as a managed service account (MSA).

The major benefits of using a MSA are:

  • Increased security from the isolation of accounts for services.
  • Administrators no longer need to manage the credentials or administer the accounts. This means that, among other things, passwords automatically change after they expire, and you do not have to manually set passwords or restart services associated with these accounts.
  • Administrators can delegate the administration of these accounts to non-administrators.

Some important things to understand before installing Splunk with a MSA are:

  • The MSA requires the same permissions as a domain account on the machine that runs Splunk.
  • The MSA must be a local administrator on the machine that runs Splunk.
  • You cannot use the same account on different computers, as you would with a domain account.
  • You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. For information and instructions on how to do this, review "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet.

To install Splunk using a MSA, read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual.

Security and remote access considerations

Minimum permissions requirements

If you choose to install Splunk as a domain user, then there are a minimum number of permissions required on the server that runs Splunk.

The following is a list of the minimum user rights and permissions that the splunkd, splunkweb, and splunkforwarder services require when Splunk is installed using a domain user. Depending on the sources of data you want to monitor, the Splunk user might need a significant amount of additional permissions.

Required basic permissions for the splunkd or splunkforwarder services

  • Full control over Splunk's installation directory
  • Read access to any flat files you want to index

Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

  • Permission to log on as a service
  • Permission to log on as a batch job
  • Permission to replace a process-level token
  • Permission to act as part of the operating system
  • Permission to bypass traverse checking

Important: Failure to assign these permissions to the Splunk user prior to installation can result in a failed Splunk install, or an installation which does not function correctly, or at all.

Required basic permissions for the splunkweb service

  • Full control over Splunk's installation directory

Required Local/Domain Security Policy user rights assignments for the splunkweb service

  • Permission to log on as a service

Note: Splunk does not require these permissions when it runs as the Local System account.

How to assign these permissions

This section contains high-level concepts on how to assign the appropriate user rights and permissions to the Splunk service account before attempting to install. For step-by-step instructions, read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual.

Use Group Policy to assign rights to multiple machines

If you want to assign the policy settings shown above to a number of workstations and servers in your AD domain or forest, you can define a Group Policy object (GPO) with these specific rights, and deploy that GPO across the domain. Read "Prepare your Active Directory to run Splunk services as a domain account" in this manual for specific instructions.

Once you've created and enabled the GPO, the workstations and servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 1 1/2 to 2 hours) or at the next boot time. Alternatively, you can force AD replication using the GPUPDATE command line utility on the server on which you want to update Group Policy.

When setting user rights, remember that rights assigned by a GPO override identical Local Security Policy rights on a machine, and you can't change this setting. If you wish to retain previously existing rights that are explicitly defined through Local Security Policy on a machine, you must also assign these rights within the GPO.

Troubleshoot permissions issues

The rights described above are the rights that the splunkd, splunkweb, and splunkforwarder services specifically require. Other rights might be needed, depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Process Monitor or GPRESULT to troubleshoot GPO application in your environment.

Summary of performance recommendations
Prepare your Windows network for a Splunk installation as a network or domain user

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Usefull, many Thanks

April 8, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters