Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Prepare your Windows network for a Splunk installation as a network or domain user

The following procedures detail the steps you must take to prepare your Windows network to allow for Splunk installation as a network or domain user other than the "Local System" user.

Important: Do not perform these instructions if you plan to install Splunk Enterprise or universal forwarder as the "Local System" user.

The instructions shown here have been tested for Windows Server 2008 R2 and Windows Server 2012, and might differ slightly for other versions of Windows.

Caution: These instructions require full administrative access to the computer and/or Active Directory domain you want to prepare for Splunk operations. Do not attempt to perform this procedure without this access.

Additionally, the rights you assign using these instructions are the minimum rights required for a successful Splunk installation. You might need to assign additional rights, either within the Local Security Policy or Group Policy object (GPO), or to the user and group accounts you create, in order for Splunk to access the data you want.

Prepare Active Directory for Splunk installation as a domain user

The following instructions guide you through preparing your Active Directory to allow for installations of Splunk Enterprise or the Splunk universal forwarder as a domain account.

Splunk recommends that you follow Microsoft's Best Practices (http://technet.microsoft.com/en-us/library/bb727085.aspx) when creating users and groups. This typically involves creating a specific Organizational Unit for groups within the organization.

These instructions assume the following:

  • You are running Active Directory.
  • You are a domain administrator for the AD domain(s) you want to configure.
  • The computer(s) you plan to install Splunk on are members of the AD domain.

Create groups

1. Run the Active Directory Users and Computers tool by selecting Start > Administrative Tools > Active Directory Users and Computers.

2. Once the program loads, select the domain that you want to prepare for Splunk operations.

3. Double-click an existing appropriate container folder to open it, or create a new Organization Unit by selecting New > Group from the Action menu.

4. From the Action menu, select New > Group.

5. In the dialog that appears, type in a name that represents Splunk user accounts, for example, "Splunk Accounts".

Ensure that the Group scope is set to Domain Local, and Group type is set to Security.

6. Click OK to create the group.

7. Create a second group and specify a name that represents Splunk-enabled computers, for example, "Splunk Enabled Computers". This group will contain computer accounts that get assigned the appropriate permissions to run Splunk as a domain user.

Ensure that the Group scope is set to Domain Local, and Group type is set to Security.

Assign users and computers to groups

If you have not already created the user account(s) that you want to use to run Splunk, now is a good time to do so. Be sure to follow Microsoft's Best Practices for creating users and groups if you do not have your own internal policy.

Once you have created the user account(s), add the account(s) to the Splunk Accounts group, and add the computer accounts of the computers that will run Splunk to the Splunk Enabled Computers group.

After you have done this, you can exit Active Directory Users and Computers.

Define a Group Policy object (GPO)

1. Run the Group Policy Management Console (GPMC) tool by selecting Start > Administrative Tools > Group Policy Management.

2. In the tree view pane on the left, select Domains.

3. Click the Group Policy Objects folder.

4. In the Group Policy Objects in <your domain> folder, right-click and select New from the menu that pops up.

5. In the New GPO dialog, type in a name that represents the fact that the GPO will assign user rights to the servers you apply it to, for example, "Splunk Access."

Leave the Source Starter GPO field set to "(none)".

6. Click OK to save the GPO.

Add rights to the GPO

1. While still in the GPMC, right-click on the newly created group policy object and select Edit from the pop-up menu that appears.

2. In the Group Policy Management Editor that appears, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

a. In the right pane, double-click on the Act as part of the operating system entry.
b. In the window that opens, check the Define these policy settings checkbox.
c. Click Add User or Group…
d. In the dialog that opens, click Browse…
e. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier, then click Check Names…
Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
f. Click OK to close the "Select Users…" dialog.
g. Click OK again to close the "Add User or Group" dialog.
h. Click OK again to close the rights properties dialog.

3. Repeat Steps 2a-2h for the following additional rights:

  • Bypass traverse checking
  • Log on as a batch job
  • Log on as a service
  • Replace a process-level token

Change per-server Administrators group membership

The following steps restrict who is a member of the Administrators group on the server(s) to which you apply this GPO.

Caution: Make sure to add all accounts that need access to the Administrators group on each server to the Restricted Groups policy setting. Failure to do so can cause you to lose administrative access to the servers to which you apply this GPO!

1. While still in the Group Policy Management Editor window, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.

a. In the right pane, right-click and select Add Group… in the pop-up menu that appears.
b. In the dialog that appears, type in Administrators and click OK.
c. In the properties dialog that appears, click the Add button next to Members of this group:.
d. In the Add Member dialog that appears, click Browse…"
e. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier, then click Check Names…
Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
f. Click OK to close the Select Users… dialog.
g. Click OK again to close the "Add User or Group" dialog.
h. Click OK again to close the group properties dialog.

2. Repeat Steps 1a-1h for the following additional users or groups:

  • Domain Admins
  • any additional users who need to be a member of the Administrators group on every server to which you apply the GPO.

3. Close the Group Policy Management Editor window to save the GPO.

Restrict GPO application to select computers

1. While still in the GPMC, in the GPMC's left pane, select the GPO you created and added rights to, if it is not already selected.

GPMC displays information about the GPO in the right pane.

2. In the right pane, under Security Filtering, click Add…

3. In the Select User, Computer, or Group dialog that appears, type in "Splunk Enabled Computers" (or the name of the group that represents Splunk-enabled computers that you created earlier.)

4. Click Check Names. If the group is valid, Windows underlines the name. Otherwise, it tells you it cannot find the object and prompts you for an object name again.

5. Click OK to return to the GPO information window.

6. Repeat Steps 2-5 to add the "Splunk Accounts" group (the group that represents Splunk user accounts that you created earlier.)

7. Under Security Filtering, click the Authenticated Users entry to highlight it.

8. Click Remove.

GPMC removes the "Authenticated Users" entry from the "Security Filtering" field, leaving only "Splunk Accounts" and "Splunk Enabled Computers."

Apply the GPO

1. While still in the GPMC, in the GPMC's left pane, select the domain that you want to apply the GPO you created.

2. Right click on the domain, and select Link an Existing GPO… in the menu that pops up.

Note: If you only want the GPO to affect the OU that you created earlier, then select the OU instead and right-click to bring up the pop-up menu.

3. In the Select GPO dialog that appears, select the GPO you created and edited, and click OK. GPMC applies the GPO to the selected domain.

4. Close GPMC by selecting File > Exit from the GPMC menu.

Note: Active Directory controls when Group Policy updates occur and GPOs get applied to computers in the domain. Typically, replication happens every 90-120 minutes. You must wait this amount of time before attempting to install Splunk as a domain user. Alternatively, you can force a Group Policy update by running GPUPDATE /FORCE from a command prompt on the computer on which you want to update Group Policy.

Install Splunk with a managed system account

Alternatively, you can install Splunk with a managed system account. Follow these instructions to do so:

1. Create and configure the MSA that you plan to use to monitor Windows data.

Note: You can use the instructions in "Prepare your Active Directory to run Splunk services as a domain account" earlier in this topic to assign the MSA the appropriate security policy rights and group memberships.

2. Install Splunk from the command line as the "Local System" user.

Important: You must install Splunk from the command line and use the LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed.

3. After installation is complete, use the Windows Explorer or the ICACLS command line utility to grant the MSA "Full Control" permissions to the Splunk installation directory and all its sub-directories.

Note: You might need to break NTFS permission inheritance from parent directories above the Splunk installation directory and explicitly assign permissions from that directory and all subdirectories.

4. Follow the instructions in the topic "Correct the user selected during Windows installation" in this manual to change the default user for Splunk's service account. In this instance, the correct user is the MSA you configured prior to installing Splunk.

Important: You must append a dollar sign ($) to the end of the username when completing Step 4 in order for the MSA to work properly. For example, if the MSA is SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the appropriate field in the properties dialog for the service. You must do this for both the splunkd and splunkweb services.

5. Confirm that the MSA has the "Log on as a service" right.

Note: If you use the Services control panel to make the service account changes, Windows grants this right to the MSA automatically.

6. Start Splunk. Splunk will run as the MSA configured above, and will have access to all data that the MSA has access to.

Prepare a local machine or non-AD network for Splunk installation

If you are not using Active Directory, follow these instructions to give administrative access to the user you want Splunk to run as on the computers you want to install Splunk on.


1. Give the user Splunk should run as administrator rights by adding the user to the local Administrators group.

2. Start Local Security Policy by selecting Start > Administrative Tools > Local Security Policy.

Local Security Policy launches and displays the local security settings.

3. In the left pane, expand Local Policies and then click User Rights Assignment.

a. In the right pane, double-click on the Act as part of the operating system entry.
b. Click Add User or Group…
c. In the dialog that opens, click Browse…
d. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Computers" group you created earlier, then click Check Names...
Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
e. Click OK to close the "Select Users…" dialog.
f. Click OK again to close the "Add User or Group" dialog.
g. Click OK again to close the rights properties dialog.

4. Repeat Steps 3a-3g for the following additional rights:

  • Bypass traverse checking
  • Log on as a batch job
  • Log on as a service
  • Replace a process-level token

Once you have completed these steps, you can then install Splunk as the desired user.

PREVIOUS
Choose the Windows user Splunk should run as
  NEXT
Install on Windows

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Hi Nieljpeterson,<br /><br />Yes, you can simply link the OU, and I've added a note to that effect.<br /><br />Thanks!

Malmoore
December 11, 2013

In the step "Apply the GPO" does it make more sense to link it to just the OU (created in step 3 of "Create groups") rather than the whole domain?

Neiljpeterson
December 3, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters