Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running a script in another user context

kholleran
Communicator
‎09-09-2010 05:50 PM

Hello,

My splunk server belongs to a different domain with a trust set up. I have a python script that does some Active Directory stuff and I want to feed that into Splunk. It runs great when I run the script but then I realized that as a scripted input, it is using the system account which is not on my domain. I am trying to specify the other domain in the script instead of the domain the user is running under but it is being difficult so I was wondering if there is there a way to run a scripted input in another user context?

Thanks.

Kevin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎09-09-2010 06:29 PM

In the old days, you could do something like...

runas /user:<user>@<domain> /savecred calc.exe

...you would be challenged for a password. After entering it once, you could do this again:

runas /user:<user>@<domain> /savecred calc.exe

...and calculator would be started as <user>.

If that is still true, you may be able to substitute calc.exe with your script and use that as your scripted input.

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎09-09-2010 06:29 PM

In the old days, you could do something like...

runas /user:<user>@<domain> /savecred calc.exe

...you would be challenged for a password. After entering it once, you could do this again:

runas /user:<user>@<domain> /savecred calc.exe

...and calculator would be started as <user>.

If that is still true, you may be able to substitute calc.exe with your script and use that as your scripted input.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 06:19 PM

Splunk doesn't have a built-in way to launch a script in another user context. I think generally the operating system's security model isn't going to provide any possible way for the "local system" user to transparently launch a process as a domain user. Maybe it's possible by drastically relaxing a lot of security guarantees -- I'm no windows expert -- but I wouldn't recommend that.

Here are some options:

  • Run splunk as a domain user with the right permissions. (Problem, this can be problematic with an indexer, since now all its files are owned differently. Fixing this can be as simple as changing ownership on all the files, and changing the user that the splunk services run as, but backups are appropriate for such experiments.)
  • Run your script externally to splunk, and write to log files that splunk tails. This has some nice properties of decoupling your code from splunk so it's easier to inspect, debug, etc. It also makes it much easier for you to always get complete data and never get duplicates. It has the additional burden of ensuring your code is running. Python's logger framework is a handy way to create the files.
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-10-2010 06:27 AM

Apparently Python has a win32security module out there that works similarly and may be built on top of this.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-10-2010 06:24 AM

There are non-.NET ways to do this too, but I'm pretty sure I can't explain them. The .NET WindowsIdentity.Impersonate() call is no picnic either, but not too bad.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-10-2010 06:21 AM

There is a .NET api (WindowsIdentity.Impersonate) that lets a process to switch Security Context to run as another user, if they have the credentials of the "other" user. However, they must also have the OS/Windows Local Security Right to do so. I think the name of the right was "Impersonate another user", but it also might have been "Act as part of the Operating System", or maybe both. The ASP.NET account has these rights and is able to do this, bu I am not sure that "LocalSystem" can do this. You may need to create a real local or domain account to be able to assign the right(s).

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 07:04 PM

Sure, but Local System isn't a domain user.

0 Karma
Reply
Solved! Jump to solution

kholleran
Communicator
‎09-09-2010 06:28 PM

On point 2, you are basically saying write my output to a file of some sort, then have Splunk index that file?

Thanks for your suggestions. I wouldn't think that it would be very good security if I COULD do it the way I wanted.... there is a trust in place between domains so maybe that's not why the scripted input is failing... (though the script runs fine when not launched by Splunk...)

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...