Re: If I installed a universal forwarder with a lo...

Abilan1 · ‎08-06-2015

Hi ,

I have installed a Universal Forwarder with a local system account, but now I want to make it in a domain account. Is it possible to change from Local System account to Domain account without uninstalling universal forwarder?

bmacias84 · ‎08-06-2015

Yes, you can change service user, but you must make sure the user has permission to run powershell, perfmon, access windows event logs, WMI, etc. Additionally you will have to use iCacls to give ownership of the $SPLUNK_HOME directory to the new user.

Abilan1 · ‎08-06-2015

Hi ,

Thank You! I wanted to know for windows forwarder and also the procedure to change that?

esix_splunk · ‎08-06-2015

On windows, Go into the services control panel, find the Splunk Service and open it. There is a run as system / run as user option, you can change it to the user there.
Once completing you can restart the service and validate it starts correctly.

somesoni2 · ‎08-06-2015

Is this a windows forwarder?

Abilan1 · ‎08-06-2015

Hi ,

Yes this is windows forwarder.

If I installed a universal forwarder with a local system account, is it possible to change to a domain account without uninstalling the forwarder?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk