How to Grant SplunkForwarder Service Access to SQL...

malmiran · ‎11-18-2018

I am using a Splunk add-on for Powershell to connect to SQL Server and run a T-SQL script stored in a .sql file. (For reasons I don't wanna go into right now, SQL add-on using DBConnect is not an option). Anyway, my Powershell approach works perfectly fine if I grant the NT Service\System sysadmin to SQL Server. Otherwise, I get an error saying it doesn't have the right permission to run the query. For security reasons, I really don't want to grant sysadmin to the local system account so I thought that if I create a login for the service name of the SplunkForwarder (i.e. NT Service\SplunkForwarder), I could then grant just the Splunkforwarder service elevated privs. However, I can't seem to make it work. For some reason, it ignores the permissions I grant the SplunkForwarder service name, and continues to use the security context NT Service\System.

Any ideas?

jkat54 · ‎11-18-2018

Have you tried to run your powershell script as the user you’ve created using runas or other user impersonation techniques?

malmiran · ‎11-21-2018

You mean to test? Yeah, I can't impersonate the local service name account (I tried). At any rate, the error I get when I remove the privilege from the SYSTEM account indicates that is what the Splunkforwarder is using.

I'll close this thread. For now, I'm OK with granting SYSTEM view access to SQL given the SQL login already exists.

jkat54 · ‎11-18-2018

Did you restart the forwarder service after changing the runas account in services.msc?

malmiran · ‎11-21-2018

Yep, I did. Definitely not that. 🙂

How to Grant SplunkForwarder Service Access to SQL Server

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!