Refine your search:

Hi,

We have installed Splunk under an eval using just a local username. We'd like to monitor AD, but can't work out how to make Splunk use a different username. I have had a look through the documenation, but may have missed how to do this.

Could someone point me in the right direction please.

We're created a service account in the AD with limited rights, to get WMI and access log files, are there any specific rights the account needs? The documentation shoes that it needs some rights to the DC's but we don't want to create an account that can log into DC's GUI, but can pull data from them.

Sorry for the simple question.

Thanks

Craig

asked 17 May '10, 10:26

craigallen's gravatar image

craigallen
11213
accept rate: 0%


One Answer:

You have to change the service account in the Services Control panel, and change the ownership/permissions of all Splunk files. You'll find that the permissions of some files (e.g. Splunk indexes, Splunk internal logs file directory) are set by default to only be accessible by the initial installed Splunk user account. Easiest thing to do it to go to the installation directory and cascade your ownership changes down.

Alternatively, you can uninstall and reinstall providing the new user name, though this will delete everything in your install (including any indexed data, unless you moved it to a new location).

Note BTW that if you want to collect Windows Security Event Logs, basically you need to be an admin on the DC (and hence the domain). There is a way around it if you have to do it, but I would recommend against it.

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

link

answered 17 May '10, 12:53

gkanapathy's gravatar image

gkanapathy ♦
36.8k81228
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×596
×84

Asked: 17 May '10, 10:26

Seen: 2,032 times

Last updated: 17 May '10, 12:53

Copyright © 2005-2014 Splunk Inc. All rights reserved.