Choose the Windows user Splunk Enterprise should run as

It is no longer possible to choose the Windows user that Splunk Enterprise runs as.

As of version 10.2, running Splunk Enterprise on Windows as either the Local System user or a domain user is no longer possible for new installations. When you upgrade Splunk Enterprise on Windows to version 10.2 and higher, the installer updates the instance to run as a non-privileged service account unless you specify a command line argument to the Windows installer, as described later in this topic. See Splunk has changed how you install Splunk Enterprise on Windows.

Splunk implemented this change to improve security and reduce complexity overall when installing and using Splunk Enterprise on Windows.

In general, if you currently run Splunk Enterprise in a local system or domain user configuration, you can continue using this configuration by following the instructions in this topic.

Read on to understand further how these changes affect you and what you must do to maintain your existing user configuration during an upgrade.

Splunk has changed how you install Splunk Enterprise on Windows

These changes mean that you must adjust how you install or upgrade Splunk Enterprise on Windows.
  • There is no longer an option to install Splunk Enterprise as a domain user for new installations. If you want to collect data from a Windows machine using a domain user, install a Universal Forwarder instead. The UF lets you choose a domain user or select the Local System user. See Install a Windows universal forwarder from an installer.
    Note: It is possible to run both a Universal Forwarder and a Splunk Enterprise indexer or search head on the same machine, with the UF collecting the data and sending it to the local Splunk Enterprise instance.

  • When you install or upgrade an existing installation of Splunk Enterprise to versions 10.2 and higher, it runs as the unprivileged local service account NT SERVICE\Splunkd by default. This happens when you either use the INSTALL_AS_ADMINISTRATOR=0 argument to the msiexec installer, or do not specify the argument

  • To continue running Splunk Enterprise as the Local System user or a domain user during an upgrade, you must include the INSTALL_AS_ADMINISTRATOR=1 argument when you run the installer. For example, to perform a quiet installation and run Splunk Enterprise as the local administrator, run the following command:

    CODE 
    msiexec.exe /i "splunk.msi" INSTALL_AS_ADMINISTRATOR=1 /qn
  • If Splunk Enterprise was installed to run as a domain user, the upgrade to version 10.2 does not remove that domain user from the local Administrators group, but provides the NT SERVICE\Splunkd user access to the resources that the domain user had.

User limitations for running Splunk Enterprise on Windows

These changes introduce limitations to how you can run Splunk Enterprise on Windows.

  • When Splunk Enterprise runs as the NT SERVICE\Splunkd user, the software cannot access network resources that require domain authentication. This is because the NT SERVICE\Splunkd user is a local service user and lacks the following:

    • Access Control List (ACL) permissions on network shares

    • The network privileges required to collect data remotely from other machines using Windows Management Instrumentation (WMI)

      Alternative: Install the Splunk Universal forwarder on Windows machines where you need to use domain users or local administrative access. The Universal Forwarder can still be installed as the local administrator or a domain user.

  • For Splunk Enterprise installations where the Splunk database directory is separate from the SPLUNK_HOME directory, you must grant the NT SERVICE\Splunkd user appropriate ACL permissions on the database directory tree. Failure to do so prevents Splunk Enterprise from accessing its databases. Use the icacls command-line utility in Windows to set the ACL permissions.

    Example:
    JSON 
    icacls {path-to-db-tree} /grant "NT SERVICE\Splunkd:(OI)(CI)(F)" /t /c

    where:

    • {path-to-db-tree} - path to the Splunk database directory

    • (OI) - Object Inherit permissions that apply to files and subdirectories.

    • (CI) - Container Inherit permissions that apply to subdirectories.

    • (F) - Assign "Full control" permissions to the resource

    • /t - Applies permissions to the target directory and all its subdirectories and files. Without /t, the command applies permissions to the target directory only.

    • /c - Instructs the command to continue on access denied errors. This option attempts to apply the permissions to all files and subdirectories in {path-to-db-tree}. If it encounters an access denied error on any file or folder, it skips that file or folder and continues processing the remaining items in the path.