Splunk Universal Forwarders and the Domain User

One of the things that you have to decide right up front on Windows is how to run the Universal Forwarder. For most situations, running as the Local System account is adequate, providing access to all necessary resources. Other times, you need to run as a domain user; either because of local security policies or because what you are monitoring requires a domain account. For example, SharePoint, SQL Server and remote WMI access all require a domain account. I’ve blogged about how to do the necessary security changes using GPO before, but GPO has some drawbacks. The most notable one is that you cannot have different group policies managing the user rights because the last group policy will overwrite the earlier ones.

As a result, many organizations decide to leave the user rights assignment to the local security policy, which means you now have to go through all of your Windows hosts that require a domain account to run Splunk and update the local security policy. What we all need is a scripted method of doing all the changes necessary to install the Splunk Universal Forwarder so we can install to hundreds of hosts using a remoting method like PowerShell.

Fortunately, Microsoft likes large enterprises and has provided tools to allow us to do this. We first need to create a single system with the right local security policy. Just log on to your favorite test machine and do the changes to the local security policy. Then open up a PowerShell prompt as the Administrator and run the following command:

secedit /export /cfg splunk-lsp.inf /areas USER_RIGHTS

Secedit is a useful command that exports and imports the security configuration. This command will create a small text file for us to edit. Before we edit the exported file, we need to know the Security Identifier (or SID) of the user that will run Splunk, normally specified as DOMAIN\user – in my case, it’s BD\sp-domain. I can find the SID by using this PowerShell snippet:

$user = New-Object System.Security.Principal.NTAccount("BD\sp-domain")

This will produce a string starting with S- and with a whole lot of numbers after it. We will need this number to recognize our user in the inf file we created in the first step. Our next step is to edit the splunk-lsp.inf file so that it only includes the local security rights we are interested in. Here is my resulting file:


[Privilege Rights]
SeTcbPrivilege = *S-1-5-21-2882450500-3417635276-1240590811-1206
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-21-2882450500-3417635276-1240590811-1206,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0
SeBatchLogonRight = *S-1-5-21-2882450500-3417635276-1240590811-1206,*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-21-2882450500-3417635276-1240590811-1206,*S-1-5-80-0
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-21-2882450500-3417635276-1240590811-1206

You will note that this file has six privileges, not five as per the Splunk installation manual. That’s because there is not a one-to-one relationship from the displayed privileges in the Local System Policy to the security policy underlying those privileges. You can read all about the other policy decisions in the file C:\Windows\inf\defltsv.inf.

Now that you have the security policy file, you have one more task before bulk installation. You have to add the designated user to your local administrators group. This can be done through a GPO but you can do this with the following PowerShell ADSI command:


Now you can create an installer script for your Splunk Universal Forwarder. Most organizations have a software repository that is mounted automatically. I mount mine at S:\ and the Splunk stuff is in the S:\Splunk area. My installer script is called “installad.ps1”, and here it is:

secedit /import /cfg S:\Splunk\splunk-lsp.inf /db C:\splunk-lsp.sdb
secedit /configure /db C:\splunk-lsp.sdb
Remove-Item C:\splunk-lsp.sdb
msiexec.exe /i splunkforwarder.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="sp-deploy:8089" LOGON_USERNAME="BD\sp-domain" LOGON_PASSWORD="changeme" INSTALL_SHORTCUT=0 /quiet

With a little planning and preparation, you can deploy the Splunk Universal Forwarder across your domain in a very automated fashion.

Posted by