Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Choose the Windows user Splunk Enterprise should run as

You choose which Windows user Splunk Enterprise should run as when you install Splunk Enterprise on Windows.

When you run the Windows Splunk Enterprise installer, it presents you with the option to select the user that Splunk Enterprise should run as. Read this topic before you install to understand the ramifications of choosing the user type.

The user you choose depends on what you want Splunk Enterprise to monitor

The user Splunk Enterprise runs as determines what it can monitor. The Local System user has access to all data on the local machine, but nothing else. A user other than Local System has access to whatever data you want it to, but give the user that access before you install Splunk Enterprise.

If you know that the computer on which you are installing Splunk Enterprise will not access remote Windows data, then see "Install on Windows" in this manual. To install using the command prompt, see "Install on Windows using the command line."

If you need to access remote Windows data, then continue with this topic to learn about the user you should install Splunk Enterprise as.

About the Local System user and other user choices

The Windows Splunk Enterprise installer provides two ways to install it: as the Local System user or as another existing user on your Windows computer or network, which you designate.

To do any of the following actions with Splunk Enterprise, you must install it as a domain user:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files
  • Enumerate the Active Directory schema using Active Directory monitoring

The user that you specify must meet the following requirements:

  • Be a member of the Active Directory domain or forest that you want to monitor (when using AD).
  • Be a member of the local Administrators group on the server on which you install Splunk Enterprise. Note: There are exceptions to this rule for universal forwarders. See "Install the universal forwarder in 'low privilege' mode."
  • Have specific user security rights assigned to it before you install Splunk Enterprise. See "Minimum permissions requirements" later in this topic.

Caution If the user does not satisfy these minimum requirements, Splunk Enterprise installation might fail. Even if installation succeeds, Splunk Enterprise might not run correctly, or at all.

The user also has unique password constraints. See "Splunk user accounts and password concerns" later in this topic.

If you are not sure which user Splunk Enterprise should run as, then see "Considerations for deciding how to monitor remote Windows data" in the Getting Data In manual for information on how to configure the Splunk Enterprise user with the access it needs.

User accounts and password concerns

An issue that arises when you install Splunk Enterprise with a user account is that any active password enforcement security policy controls the password's validity. If your Windows server or network enforces password changes, consider the following issues:

  • Before the password expires, change it, reconfigure Splunk Enterprise services on every machine to use the changed password, and then restart Splunk Enterprise.
  • Configure the account so that its password never expires.
  • Use a managed service account. See "Use managed service accounts on Windows Server 2008, Server 2012, and Windows 7" in this topic.

Use managed service accounts on Windows Server 2008, Windows Server 2012, Windows 7, and Windows 8.x

If you run Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, or Windows 8.x in Active Directory, and your AD domain has at least one Windows Server 2008 R2 or Server 2012 domain controller, you can install Splunk Enterprise to run as a managed service account (MSA).

The benefits of using an MSA are:

  • Increased security from the isolation of accounts for services.
  • Administrators no longer need to manage the credentials or administer the accounts. Passwords automatically change after they expire. You do not have to manually set passwords or restart services associated with these accounts.
  • Administrators can delegate the administration of these accounts to non-administrators.

Some important things to understand before you install Splunk Enterprise with an MSA are:

  • The MSA requires the same permissions as a domain account on the machine that runs Splunk Enterprise.
  • The MSA must be a local administrator on the machine that runs Splunk Enterprise.
  • You cannot use the same account on different computers, as you would with a domain account.
  • You must correctly configure and install the MSA on the machine that runs Splunk Enterprise before you install Splunk Enterprise on the machine. See "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet.

To install Splunk Enterprise using an MSA, see "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual.

Security and remote access considerations

Minimum permissions requirements

If you install Splunk Enterprise as a domain user, then a minimum number of permissions are required on the server that runs the software.

The following is a list of the minimum user rights and permissions that the splunkd and splunkforwarder services require when you install Splunk Enterprise using a domain user. Depending on the sources of data you want to monitor, the Splunk Enterprise user might need additional permissions.

Required basic permissions for the splunkd or splunkforwarder services

  • Full control over the Splunk Enterprise installation directory.
  • Read access to any flat files that you want to index.

Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

  • Permission to log on as a service.
  • Permission to log on as a batch job.
  • Permission to replace a process-level token.
  • Permission to act as part of the operating system.
  • Permission to bypass traverse checking.

Caution If you do not assign these permissions to the Splunk Enterprise user before installation you might have a failed Splunk Enterprise installation, or an installation that does not function correctly, or at all.

Note Splunk Enterprise does not require these permissions when it runs as the Local System account.

How to assign these permissions

This section contains concepts about how to assign the appropriate user rights and permissions to the Splunk Enterprise service account before you install. For instructions, see "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual.

Use Group Policy to assign rights to multiple machines

To assign the policy settings to a number of workstations and servers in your AD domain or forest, you can define a Group Policy object (GPO) with these specific rights, and deploy that GPO across the domain. See "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" in this manual.

After you create and enable the GPO, the workstations and servers in your domain pick up the changes either during the next scheduled AD replication cycle (usually every 1.5 to 2 hours) or at the next boot time. Alternatively, you can force AD replication by using the GPUPDATE command-line utility on the server on which you want to update Group Policy.

When you set user rights, rights assigned by a GPO override identical Local Security Policy rights on a machine. You cannot change this setting. To retain existing rights that are defined through Local Security Policy on a machine, you must also assign these rights within the GPO.

Troubleshoot permissions issues

The rights described are the rights that the splunkd and splunkforwarder services require. Other rights might be needed, depending on your usage and what data you want to access. Many user rights assignments and other Group Policy restrictions can prevent Splunk Enterprise from running. If you have problems, consider using a tool such as Process Monitor or GPRESULT to troubleshoot GPO application in your environment.

PREVIOUS
More ways to secure Splunk Enterprise
  NEXT
Prepare your Windows network to run Splunk Enterprise as a network or domain user

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters