Hello,
I'm encountering an issue with Splunk Forwarder on a Windows Server OS. When it runs under the "SplunkForwarder" user, it fails to send Sysmon logs. Surprisingly, the forwarding works correctly when the forwarder is configured to run as the "SYSTEM" user.
While this resolves the immediate problem, I'm hesitant to continue using the "SYSTEM" user due to its extensive access to system resources. I'm seeking a better solution that allows the Splunk Forwarder to send Sysmon logs without compromising security. Any guidance on this matter would be greatly appreciated.
Thank you.
Hi @maede_yavari,
this isn't a Splunk issue: if you want to have more security running Splunk Universal Forwarder with a not LOCAL SYSTEM user, you have to give to the user that you're using the grants to read you eventlog: you need a Windows technician, or you could accept to run Splunk using SYSTEM.
Ciao.
Giuseppe