Re: Windows Server 2012 - Splunkd Service Access D...

UserFriendly · ‎02-03-2013

We're having a bit of an issue with our new Splunk install on Windows Server 2012. The Splunkd and Splunkweb services will not start when using a domain service account. They fail with a "Access Denied" message.

We're using a Domain Admin account and have verified that the following Local Policies were set for it:

Permission to log on as a service

Permission to log on as a batch job

Permission to replace a process-level token

Permission to act as part of the operating system

Permission to bypass traverse checking

I also verified that we do not have "Permission to log on as a service" set as a GPO - so that shouldn't be overiding the local policy.

Has anyone else had any experience with this? I've been racking my brain for 2 days trying to figure this one out and would greatly appreciate any direction in the matter. Thanks!

UserFriendly · ‎02-05-2013

In case anyone else is encountering this issue:

We fixed this in a kind of roundabout way. The Splunk server was a Server 2012 on a VMware VM. I had to go in and disable the hotplug ability on the guest. This allowed the services to run under a domain service account but for some reason it cut off all network access to the server.

I then added a second NIC, booted up the VM and network connectivity was restored but the services failed again. After that I shutdown the machine, removed the new NIC and powered back on. For some reason network connectivity is restored and the splunk services are running under the domain account. I will update this entry as I find more information.

Windows Server 2012 - Splunkd Service Access Denied

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...