Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk User of windows SplunkForwarder

maede_yavari
Explorer
‎01-22-2024 12:54 AM

Hello,

I'm encountering an issue with Splunk Forwarder on a Windows Server OS. When it runs under the "SplunkForwarder" user, it fails to send Sysmon logs. Surprisingly, the forwarding works correctly when the forwarder is configured to run as the "SYSTEM" user.

While this resolves the immediate problem, I'm hesitant to continue using the "SYSTEM" user due to its extensive access to system resources. I'm seeking a better solution that allows the Splunk Forwarder to send Sysmon logs without compromising security. Any guidance on this matter would be greatly appreciated.

Thank you.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2024 01:58 AM

Hi @maede_yavari,

this isn't a Splunk issue: if you want to have more security running Splunk Universal Forwarder with a not LOCAL SYSTEM user, you have to give to the user that you're using the grants to read you eventlog: you need a Windows technician, or you could accept to run Splunk using SYSTEM.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...