Creating service accounts
Create users
A user is required for authentication and is assigned a role in later steps for authorization. The following steps show how to create local users. If you are using ActiveDirectory for authentication on your ESX/i hosts, skip to the "Make users in ActiveDirectory" section below.
Make local users on your ESX/i hosts
You can manually create local ESX/i users on a per host basis or you can automatically create users using the Installation tools provided with the FA VM.
NOTE: To use the tools to automatically create the engine configuration files, all ESX/i hosts in the host_csv field must use the same service account username and password (hostuser, hostpwd). If your ESX/i hosts do not use the same service account credentials, you can run enginebuilder.py multiple times or generate the FA VM configuration files manually.
To manually create a user for a particular hosts:
- Open up the vSphere client and connect to the ESX/i machine where you want to create the user.
- Go to the Local Users & Groups tab for the ESX/i machine in the inventory screen.
- Right click in the list of users and click add from the context menu.
- Under User Information enter a login name (e.g. splunksvc) and optionally a user name. The login, NOT the user name, will be what you'll use for authentication. The user name is just a more readable string for display purposes.
- Under Enter Password enter a password and ensure it meets your minimum password requirements, usually a character count and two different types of characters.
- Leave Group Membership untouched, the user will be auto-assigned to the group users.
- Click OK and you should see your user in the list of users. If so, then you are done.
Make users in ActiveDirectory
In a VMware environment, you can join your ESX/i hosts to an ActiveDirectory domain for authentication. Service accounts have to be created on all ESX/i hosts for the Splunk for VMware solution to work correctly. If any of your machines are not configured to use AD authentication, then you must create a "local" user on each one (see the relevant sections above for steps on how to do that).
For machines that are participating in an AD domain, you must create a service account in the given domain using the appropriate control panel in Windows Server. Most VMware environments use a single AD domain for authentication. However, if you are using multiple AD domains, then you must create a service account in each domain that your VMware environment is using.
How to create a service account within AD can vary depending upon your specific environment. Detailed steps are beyond the scope of this document. See your AD administrator to learn how to do this correctly for your environment. Here is an article that also may be helpful: http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html.
After you have created the necessary service account(s) in AD, you must still create the required role and map it to the service account you just created in AD. The steps are the same as for local accounts. Follow the instructions in Create roles on each Esx/i host.
Create roles on each ESX/i host
To create a role on each ESX/i host:
- Open up the vSphere client and connect to the vCenter. Log in with administrative privileges.
- Click Home in the path bar.
- Under Administration click Roles.
- Click the Add Role button.
- In the Add new Role dialog, enter a name for the role (e.g. splunkreader).
- Select the appropriate permissions for the role (see Required permissions in vSphere below).
Required permissions in vSphere
The following table lists the permissions for the role defined in vSphere. This is required so that the Forwarder Appliance can collect data from the ESX/i host.
Permission |
---|
Global.Diagnostics |
Global.Licenses |
Global.Settings |
Host.Configuration.Change SNMP settings |
Host.Configuration.Hyperthreading |
Host.Configuration.Memory configuration |
Host.Configuration.Network configuration |
Host.Configuration.Power† |
Host.Configuration.Security profile and firewall |
Host.Configuration.Storage partition configuration |
Sessions.View and stop sessions |
Virtual machine.Provisioning.Read customization specifications |
†Applies to VMware 4.1 only
- Click OK and you should see your role in the list of roles. If so, then you're done!
Assign users to roles
- In the vSphere client connect to the ESX/i host that contains the user and role you created and now want to link together.
- Go to the Home >Inventory >Inventory screen on an ESX/i host.
- Right-click on the root object in the tree on the left and click "Add Permission" from the context menu.
- On the left of the Assign Permissions window, under Users and Groups click Add...
- Select the user you wish to assign a role to (e.g. splunksvc) from the list box and click Add then click OK.
- On the right of the Assign Permissions window, under Assigned Role select the role you wish to assign to the user from the pull down menu (e.g. splunkreader).
- Make sure the Propagate to Child Objects check box is ticked, without it your user will not have all of the necessary permissions.
- Click OK and verify that your user is listed on the permissions tab and has the role you assigned.
Access permissions and credentials | Administering credentials files |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0.2, 1.0.3, 2.0
Feedback submitted, thanks!