All Apps and Add-ons

splunk-regmon causes errror when UF with non-privileged user

mirkokorn
Explorer

Hi all,

I'm currently doing some tests with UF on Windows 10 hosts. Unfortunately I'm getting an error I was not able to get rid off yet.

When running UF as an user account that is part of the Administrators group, everything is running fine. As we do not want to run the process with full administrative rights, I created a local user "splunk" and gave it the following rights:
- full control over UF directory
- Permission to log on as a service.
- Permission to log on as a batch job.
- Permission to replace a process-level token.
- Permission to act as part of the operating system.
- Permission to bypass traverse checking.
(source: http://docs.splunk.com/Documentation/Splunk/6.6.3/Installation/ChoosetheuserSplunkshouldrunas)

With the non-privileged settings I do get the following messages in splunkd.log with WinRegMon inputs enabled:
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - manageDriver Open SC Manager failed! Error = 5
07-30-2018 14:50:26.985 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - WinRegistryMonitor::StartDriver: Unable to install driver.

Accordingly, I do net get any data from source WinRegMon.

The same configuration seems to be working fine on Windows 7. Anyone had the same issues yet? Tested versions are UF 6.6.3 and UF 7.1.1

0 Karma

mirkokorn
Explorer

If anyone else runs into the same error contact support. They confirmed the behaviour as bug.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...