Getting Data In

Local Users on Universal Forwarder and Remote CLI?

stevepraz
Path Finder

We are looking to lock down our universal forwarders on Windows servers. Our plan is for all the necessary configs to be pulled down from a deployment server.

In light of that, is there any reason why we would need the local user (admin) created when the forwarder is installed? What functions would that be used for? Could we rename it or disable it to prevent it from being used? Also, is there a way to prevent remote CLI functions from being able to be run? What is the 8089 port used for on a forwarder?

0 Karma
1 Solution

ekost
Splunk Employee
Splunk Employee
  1. Credentials are required to access and read files. A Windows forwarder uses the Windows owned LocalSystem account by default, and does not create a new account in Windows. If you know what data you want to collect from Windows, review the credential and collection options and consider the creation of a custom system account to run the forwarder. Test vigorously.
  2. CLI functions require authentication. Change the forwarder's own internal credentials after the installation completes. Use scripts for post installation tasks when deploying forwarders at scale.
  3. Answers has a good post on the uses for the management port here. The port can be disabled.

View solution in original post

ekost
Splunk Employee
Splunk Employee
  1. Credentials are required to access and read files. A Windows forwarder uses the Windows owned LocalSystem account by default, and does not create a new account in Windows. If you know what data you want to collect from Windows, review the credential and collection options and consider the creation of a custom system account to run the forwarder. Test vigorously.
  2. CLI functions require authentication. Change the forwarder's own internal credentials after the installation completes. Use scripts for post installation tasks when deploying forwarders at scale.
  3. Answers has a good post on the uses for the management port here. The port can be disabled.

stevepraz
Path Finder

Thanks for the response. Point 2 is what my question was mainly around, the forwarder's internal credentials. From initial testing it looks like the forwarder starts up just fine with no users in the SPLUNK_HOME/etc/passwd file. If I'm handling my initial installs and mass upgrades with a deployment tool like SCCM and I am managing my forwarder configurations via deployment server, are there any critical CLI functions I would be losing out on by not having any users internal to the forwarder?

Even if we changed the user name from admin and the password, we'd have to rotate the password (to meet internal standards). If there isn't any functionality we are missing out on, it seems easier to just disable it entirely.

0 Karma

ekost
Splunk Employee
Splunk Employee

The only time I leverage CLI on a forwarder is troubleshooting. I agree that if you've become very comfortable with deployment server and have a method in mind to manage potential changes to the deploymentclient.conf file, there's very little need for CLI or the management port. All that said, I do not know of a way to completely disable the CLI functions. You can check with support for confirmation. Restricting access to the forwarder installation from non-admin's with login capabilities is an option.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...