Refine your search:

Splunk Web on Windows won't listen on port 8000

0

I have a UAC-enabled Server 2008 R2 machine with Splunk splunk-4.1.7-95063-x64-release installed.

I am using a low-privilege (just the minimum listed in the docs, http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splunk_should_run_as).

This seems fine for splunkd, it can run, open port 8089, and appears to be indexing.

The splunkweb service never opens a port and seems to generate these errors every time it starts. Apparently it wants to query the Service Control Manager.

When I run the service interactively I get a UAC prompt.

Log Name: Security Source:
Microsoft-Windows-Security-Auditing Event ID: 4656 Task Category: Other Object Access Events Level:
Information Keywords: Audit Failure Description: A handle to an object was requested.

Subject: Security ID: xxx\service-splunk Account Name: service-splunk Account Domain: xxx Logon ID: 0x15cb85

Object: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: 0x0

Process Information: Process ID: 0x204 Process Name: C:\Windows\System32\services.exe

Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Connect to service controller Create a new service Enumerate services Lock service database for exclusive access Query service database lock state Set last-known-good state of service database Access Reasons: - Access Mask: 0xf003f Privileges Used for Access Check: - Restricted SID Count: 0

asked 26 Feb '11, 20:41

hughkelley's gravatar image

hughkelley
216
accept rate: 0%

What user is SplunkWeb running as? LocalSystem? If you (temporarily) disable UAC, does it make any difference? If you run netstatn -an -p tcp, is port 8000 used for anything else?

(26 Feb '11, 20:59) southeringtonp ♦

Port 8000 isn't in use by anybody else.

I haven't tried disabling UAC since that's a no-go configuration in our environment. I did try running the Python exe interactively (-debug) as the service account. That's when I saw the UAC prompt.

(28 Feb '11, 11:03) hughkelley
One Answer:
oldestnewestmost voted
0

Have you tried re-entering the password for the service account in the Services Control panel?

link

answered 26 Feb '11, 21:07

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

Yes, the service runs fine when I make the account a local administrator, so the username and password are fine.

I feel pretty confident this is a Windows UAC issue. The documentation seems to indicate that this (non-admin) configuration can be made to work.

Has anybody else gotten it going?

(28 Feb '11, 11:00) hughkelley
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×434
×120

Asked: 26 Feb '11, 20:41

Seen: 1,880 times

Last updated: 11 Apr '11, 00:22

Related questions

CSR on Windows 2003 Server

Listen for requests on Folder instead of Port

Change splunk web server from the default setting of port 8000 to port 8081

Can I run SplunkWeb on port 80 on Linux without running as root?

Splunk Port 8000 doesn't work

[closed] Remote Web Access does not stay on port 8000

collect Remote event log on my Windows splunk server

Splunk Windows 4.0.9 - compatible with .Net 3.5 SP1?

splunk web service down?

Copyright © 2005-2012 Splunk Inc. All rights reserved.