Getting Data In

Splunk installed under local username, but want to monitor AD

craigallen
Engager

Hi,

We have installed Splunk under an eval using just a local username. We'd like to monitor AD, but can't work out how to make Splunk use a different username. I have had a look through the documenation, but may have missed how to do this.

Could someone point me in the right direction please.

We're created a service account in the AD with limited rights, to get WMI and access log files, are there any specific rights the account needs? The documentation shoes that it needs some rights to the DC's but we don't want to create an account that can log into DC's GUI, but can pull data from them.

Sorry for the simple question.

Thanks

Craig

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

You have to change the service account in the Services Control panel, and change the ownership/permissions of all Splunk files. You'll find that the permissions of some files (e.g. Splunk indexes, Splunk internal logs file directory) are set by default to only be accessible by the initial installed Splunk user account. Easiest thing to do it to go to the installation directory and cascade your ownership changes down.

Alternatively, you can uninstall and reinstall providing the new user name, though this will delete everything in your install (including any indexed data, unless you moved it to a new location).

Note BTW that if you want to collect Windows Security Event Logs, basically you need to be an admin on the DC (and hence the domain). There is a way around it if you have to do it, but I would recommend against it.

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...