Prepare your Windows network to run Splunk Enterprise as a network or domain user
You can prepare your Windows network to run Splunk Enterprise as a network or domain user other than the "Local System" user.
This can be different from the user that you use to install the software. Regardless of the user that you run Splunk Enterprise as, you must install the software with an account that has local administrator privileges on the installation machine.
These instructions have been tested for Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, and might differ for other versions of Windows.
The rights you assign by using these instructions are the minimum rights that are necessary for a successful Splunk Enterprise installation. You might need to assign additional rights, either within the Local Security Policy or a Group Policy object (GPO), or to the user and group accounts that you create, for Splunk Enterprise to access the data you want.
Security requirements and ramifications of changing system defaults through Group Policy
This procedure requires full administrative access to the host or Active Directory domain you want to prepare for Splunk Enterprise operations. Do not attempt to perform this procedure without this access.
The low-level access requirements for Splunk Enterprise operations necessitate these changes if you want to run Splunk Enterprise as a user other than the Local System user. You must make changes to your Windows network to complete this procedure. Making these changes can present a significant security risk.
To mitigate the risk, you can prevent the user that Splunk Enterprise runs as from logging in interactively, and limit the number of machines from where the user can log in. Alternatively, on Windows Server 2008 R2 and later, you can set up managed user accounts (MSAs) that further limit risk.
If you are not comfortable with or do not understand the security risks that come with this procedure, then do not perform it.
Configure Active Directory for running Splunk software as a domain user
The following procedures prepare your Active Directory for installations of Splunk Enterprise or the Splunk universal forwarder as a domain user.
To use PowerShell to configure your Active Directory for installation of Splunk Enterprise, see "Use PowerShell to configure your AD domain" later in this topic.
Prerequisites
You must meet the following requirements to perform this procedure:
- Your Windows environment runs Active Directory.
- You are a domain administrator for the AD domains that you want to configure.
- The installation hosts are members of this AD domain.
Create users
When you create users for running Splunk Enterprise, follow Microsoft best practices . See Microsoft Best Practices on MS TechNet.
- Run the Active Directory Users and Computers tool by selecting Start > Administrative Tools > Active Directory Users and Computers.
- Select the domain that you want to prepare for Splunk Enterprise operations.
- Click Action > New > User
- Enter the username for the new user and click Next.
- Uncheck User must change password at next logon.
- Click Next.
- Click Finish.
- (Optional) Repeat this procedure to create additional users.
- (Optional) Quit Active Directory Users and Computers.
Create groups
This procedure creates the groups for users and machines that run Splunk Enterprise.
- Run the Active Directory Users and Computers tool by selecting Start > Administrative Tools > Active Directory Users and Computers.
- Select the domain that you want to prepare for Splunk Enterprise operations.
- Double-click an existing container folder, or create an Organization Unit by selecting New > Group from the Action menu.
- Select Action > New > Group.
- Type a name that represents Splunk Enterprise user accounts, for example, Splunk Accounts.
- Confirm that the Group scope is set to Domain Local and Group type is set to Security.
- Click OK to create the group.
- Create a second group and specify a name that represents Splunk Enterprise enabled computers, for example, Splunk Enabled Computers. This group contains computer accounts that receive permissions to run Splunk Enterprise as a domain user.
- Confirm that the Group scope is Domain Local and the Group type is Security.
Assign users and computers to groups
This part of the procedure assigns users and computers that you created in the previous part.
- Add the accounts to the Splunk Accounts group.
- Add the computer accounts of the computers that will run Splunk Enterprise to the Splunk Enabled Computers group.
- (Optional) Quit Active Directory Users and Computers.
Define a Group Policy object (GPO)
The Group Policy Object you create here will be distributed to all of the machines that run Splunk Enterprise. It assigns rights to the machines that make running Splunk Enterprise easier.
- Run the Group Policy Management Console (GPMC) tool by selecting Start > Administrative Tools > Group Policy Management
- In the tree view pane on the left, select Domains.
- Click the Group Policy Objects folder.
- In the Group Policy Objects in <your domain> folder, right-click and select New.
- Type a name that describes the fact that the GPO will assign user rights to the servers you apply it to. For example, "Splunk Access."
- Leave the Source Starter GPO field set to "(none)".
- Click OK to save the GPO.
- Remain in the GPMC. You will perform additional work there in the next section.
Add rights to the GPO
- While still in the GPMC, right-click on the newly-created group policy object and select Edit.
- In the Group Policy Management Editor, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
- In the right pane, double-click on the Act as part of the operating system entry.
- In the window that opens, check the Define these policy settings checkbox.
- Click Add User or Group…
- In the dialog that opens, click Browse…
- In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier and click Check Names… Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
- Click OK to close the "Select Users…" dialog.
- Click OK again to close the "Add User or Group" dialog.
- Click OK again to close the rights properties dialog.
- Repeat Steps 2a-2h for the following additional rights:
- Bypass traverse checking
- Log on as a batch job
- Log on as a service
- Replace a process-level token
- Remain in the Group Policy Management Editor. You will perform additional work there in the next section.
Change Administrators group membership on each host
This procedure restricts who is a member of the Administrators group on the hosts to which you apply this GPO.
Confirm that all accounts that need access to the Administrators group on each host have been added to the Restricted Groups policy setting. Failure to do so can result in losing administrative access to the hosts on which you apply this GPO!
- While still in the Group Policy Management Editor window, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
- In the right pane, right-click and select Add Group… in the pop-up menu that appears.
- In the dialog that appears, type in Administrators and click OK.
- In the properties dialog that appears, click the Add button next to Members of this group:.
- In the Add Member dialog that appears, click Browse…"
- In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier and click Check Names… Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
- Click OK to close the Select Users… dialog.
- Click OK again to close the "Add User or Group" dialog.
- Click OK again to close the group properties dialog.
- Repeat Steps 1a-1h for the following additional users or groups:
- Domain Admins
- any additional users who need to be a member of the Administrators group on every host to which you apply the GPO.
- Close the Group Policy Management Editor window to save the GPO.
- Remain in the GPMC. You will perform additional work there in the next section.
Restrict GPO application to select computers
This procedure controls which machines will actually receive the new GPO, and thus have their user rights assignments changed so that they can run Splunk Enterprise.
- While still in the GPMC, in the GPMC left pane, select the GPO you created and added rights to, if it is not already selected. The GPMC displays information about the GPO in the right pane.
- In the right pane, under Security Filtering, click Add…
- In the Select User, Computer, or Group dialog that appears, type in "Splunk Enabled Computers" (or the name of the group that represents Splunk-enabled computers that you created earlier.)
- Click Check Names. If the group is valid, Windows underlines the name. Otherwise, it tells you it cannot find the object and prompts you for an object name again.
- Click OK to return to the GPO information window.
- Repeat Steps 2-5 to add the "Splunk Accounts" group (the group that represents Splunk user accounts that you created earlier.)
- Under Security Filtering, click the Authenticated Users entry to highlight it.
- Click Remove. GPMC removes the "Authenticated Users" entry from the "Security Filtering" field, leaving only "Splunk Accounts" and "Splunk Enabled Computers."
- Remain in the GPMC. You will perform additional work there in the next section.
Apply the GPO
Active Directory controls when Group Policy updates occur and GPOs get applied to hosts in the domain. Under normal circumstances, replication happens every 90-120 minutes. You must either wait this amount of time before attempting to install Splunk as a domain user, or force a Group Policy update by running GPUPDATE /FORCE
from a command prompt on the host whose Group Policy you want to update.
- While still in the GPMC, in the GPMC left pane, select the domain that you want to apply the GPO you created.
- Right click on the domain, and select Link an Existing GPO… in the menu that pops up.
If you only want the GPO to affect the OU that you created earlier, then select the OU instead and right-click to bring up the pop-up menu.
- In the Select GPO dialog that appears, select the GPO you created and edited, and click OK. GPMC applies the GPO to the selected domain.
- Close GPMC by selecting File > Exit from the GPMC menu.
Install Splunk with a managed system account
Alternatively, you can install Splunk Enterprise with a managed system account.
You can use the instructions in "Configure Active Directory for running Splunk software as a domain user" earlier in this topic to assign the MSA the appropriate security policy rights and group memberships.
When you grant file permissions to the MSA after installation, you might need to break NTFS permission inheritance from parent directories above the Splunk Enterprise installation directory and explicitly assign permissions from that directory and all subdirectories.
Windows grants the "Log on as a service" right to the MSA automatically if you use the Services control panel to make changes to Splunk services.
- Create and configure the MSA that you plan to use to monitor Windows data.
- Install Splunk from the command line and use the
LAUNCHSPLUNK=0
flag to keep Splunk Enterprise from starting after installation has completed. - After installation completes, use the Windows Explorer or the
ICACLS
command line utility to grant the MSA "Full Control" permissions to the Splunk Enterprise installation directory and all its sub-directories. - Change the default user for the
splunkd
andsplunkweb
service accounts, as described in the topic Correct the user selected during Windows installation.
You must append a dollar sign ($) to the end of the username when completing this step for the MSA to work. For example, if the MSA is
SPLUNKDOCS\splunk1
, then you must enterSPLUNKDOCS\splunk1$
in the appropriate field in the properties dialog for the service. You must do this for both thesplunkd
andsplunkweb
services. - Confirm that the MSA has the "Log on as a service" right.
- Start Splunk Enterprise. It runs as the MSA configured above, and has access to all data that the MSA has access to.
Use PowerShell to configure your AD domain
You can use PowerShell to configure your Active Directory environment for Splunk Enterprise services. This option is available when you do not want to use the GUI-based administrative applications.
Create the Splunk user account
- Open a PowerShell window.
- Import the ActiveDirectory PowerShell module, if needed:
> Import-Module ActiveDirectory
- Create a new user:
> New-ADUser –Name <user> ` -SamAccountName <user> ` -Description "Splunk Service Account" ` -DisplayName "Service:Splunk" ` -Path "<organizational unit LDAP path>" ` -AccountPassword (Read-Host –AsSecureString "Account Password") ` -CannotChangePassword $true ` -ChangePasswordAtLogon $false ` -PasswordNeverExpires $true ` -PasswordNotRequired $false ` -SmartcardLogonRequired $false ` -Enabled $true ` -LogonWorkstations "<server>" `
In this example:
- The command creates an account whose password cannot be changed, is not forced to change after first logon, and does not expire.
- <user> is the name of the user you want to create.
- <organizational unit LDAP path> is the name of the OU in which to put the new user, specified in X.500 format, for example:
CN=Managed Service Accounts,DC=splk,DC=com
. - <server> is a single host or comma-separated list which specifies the host(s) that the account can log in from.
The
LogonWorkstations
argument is not required, but lets you limit which workstations a managed service account can use to log into the domain.
Configure the Splunk Enterprise server
After you have configured a user account, use PowerShell to configure the server with the correct permissions for the account to run Splunk Enterprise.
This is an advanced procedure. Improper changes to your AD can render it unusable. Perform these steps only if you feel comfortable doing so and understand the ramifications of using them, including problems that can occur due to typos and improperly-formatted files.
In the following examples:
- <user> is the name of the user you created that will run Splunk Enterprise.
- <domain> is the domain in which the user resides.
- <computer> is the remote computer you want to connect to in order to make changes.
To configure local security policy from PowerShell:
- Connect to the machine that you wish to configure.
- If you use the local machine, log in and open a PowerShell prompt, if you have not already.
- If you connect to a remote machine, create a new
PSSession
on the remote host, as shown in the following examples. - You might need to disable Windows Firewall before you can make the remote connection. To do so, see Need to Disable Windows Firewall on MS TechNet (for versions of Windows Server up to Server 2008 R2, and Firewall with Advanced Security Administration with Windows PowerShell, also on MS TechNet.
> Enter-PSSession -Computername <computer>
- Add the service account to the local Administrators group.
> $group = [ADSI]"WinNT://<server>/Administrators,group" > $group.Add("WinNT://<domain>/<user>")
- Create a backup file that contains the current state of user rights settings on the local machine.
> secedit /export /areas USER_RIGHTS /cfg OldUserRights.inf
- Use the backup to create a new user rights information file that assigns the Splunk Enterprise user elevated rights when you import it.
> Get-Content OldUserRights.inf ` | Select-String –Pattern ` "(SeTcbPrivilege|SeChangeNotify|SeBatchLogon|SeServiceLogon|SeAssignPrimaryToken|SeSystemProfile)" ` | %{ "$_,<domain>\<user>" } | Out-File NewUserRights.inf
- Create a header for the new policy information file and concatenate the header and the new information file together.
> ( "[Unicode]", "Unicode=yes" ) | Out-File Header.inf > ( "[Version]", "signature=`"`$CHICAGO`$`"", "Revision=1") | Out-File –Append Header.inf > ( "[Privilege Rights]" ) | Out-File –Append Header.inf > Get-Content NewUserRights.inf | Out-File –Append Header.inf
- Review the policy information file to ensure that the header was properly written, and that the file has no syntax errors in it.
- Import the file into the local security policy database on the host.
> secedit /import /cfg Header.inf /db C:\splunk-lsp.sdb > secedit /configure /db C:\splunk-lsp.sdb
Prepare a local machine or non-AD network for Splunk Enterprise installation
If you do not use Active Directory, follow these instructions to give administrative access to the user you want Splunk Enterprise to run as on the hosts on which you want to install Splunk Enterprise.
- Give the user Splunk Enterprise should run as administrator rights by adding the user to the local Administrators group.
- Start Local Security Policy by selecting Start > Administrative Tools > Local Security Policy.
- In the left pane, expand Local Policies and then click User Rights Assignment.
- In the right pane, double-click on the Act as part of the operating system entry.
- Click Add User or Group…
- Click Browse…
- Type in the name of the "Splunk Computers" group you created earlier, and click Check Names... Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again.
- Click OK.
- Click OK.
- Click OK.
- Repeat Steps 3a-3g for the following additional rights:
- Bypass traverse checking
- Log on as a batch job
- Log on as a service
- Replace a process-level token
After you have completed these steps, you can then install Splunk Enterprise as the desired user.
Choose the Windows user Splunk Enterprise should run as | Install on Windows |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!