I'm trying to index a file on a mapped network drive, but I keep getting seeing 'Access is denied' in splunkd.log. I can read the file ok from my server, why can't Splunk?
Splunk is running on Windows 2003 R2 32-bit
By default on Windows, Splunk runs as 'Local System User' which isn't really a 'user' in the normal sense. It's simply a collection of basic permissions and capabilities that allows Splunk to run as a service, execute scripts etc. Normally, these permissions only extend to the limits of the local box, and to access network resources, you need to run as a user with domain permissions
Its all documented here - http://docs.splunk.com/Documentation/Splunk/5.0/Installation/ChoosetheuserSplunkshouldrunas
Most notable part -
If you intend to do any of the following things, you must give Splunk a Domain account:
* read Event Logs remotely
* collect performance counters remotely
* read network shares for log files
* enumerate the Active Directory schema using Active Directory monitoring
By default on Windows, Splunk runs as 'Local System User' which isn't really a 'user' in the normal sense. It's simply a collection of basic permissions and capabilities that allows Splunk to run as a service, execute scripts etc. Normally, these permissions only extend to the limits of the local box, and to access network resources, you need to run as a user with domain permissions
Its all documented here - http://docs.splunk.com/Documentation/Splunk/5.0/Installation/ChoosetheuserSplunkshouldrunas
Most notable part -
If you intend to do any of the following things, you must give Splunk a Domain account:
* read Event Logs remotely
* collect performance counters remotely
* read network shares for log files
* enumerate the Active Directory schema using Active Directory monitoring