Getting Data In

Splunk installed under local username, but want to monitor AD

craigallen
Engager

Hi,

We have installed Splunk under an eval using just a local username. We'd like to monitor AD, but can't work out how to make Splunk use a different username. I have had a look through the documenation, but may have missed how to do this.

Could someone point me in the right direction please.

We're created a service account in the AD with limited rights, to get WMI and access log files, are there any specific rights the account needs? The documentation shoes that it needs some rights to the DC's but we don't want to create an account that can log into DC's GUI, but can pull data from them.

Sorry for the simple question.

Thanks

Craig

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

You have to change the service account in the Services Control panel, and change the ownership/permissions of all Splunk files. You'll find that the permissions of some files (e.g. Splunk indexes, Splunk internal logs file directory) are set by default to only be accessible by the initial installed Splunk user account. Easiest thing to do it to go to the installation directory and cascade your ownership changes down.

Alternatively, you can uninstall and reinstall providing the new user name, though this will delete everything in your install (including any indexed data, unless you moved it to a new location).

Note BTW that if you want to collect Windows Security Event Logs, basically you need to be an admin on the DC (and hence the domain). There is a way around it if you have to do it, but I would recommend against it.

http://www.splunk.com/support/forum:SplunkAdministration/4128

http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx

http://support.microsoft.com/kb/323076

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...