puppet-splunk icon indicating copy to clipboard operation
puppet-splunk copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Wrong Splunk Forwarder user on Windows

Open tamerz opened this issue 1 year ago • 2 comments

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: Any
  • Ruby: Any
  • Distribution: Windows (any modern version)
  • Module version: 10.0.0

How to reproduce (e.g Puppet code you use)

include puppet::forwarder

What are you seeing

The Linux package uses splunkfwd as the default user and group names. On Windows, SplunkForwarder is used for the user and group names. This causes the module to fail setting file permissions.

What behaviour did you expect instead

Output log

change from 'NT AUTHORITY\SYSTEM' to 'splunkfwd' failed: Could not find user splunkfwd

    Source: /Stage[main]/Splunk::Forwarder::Config/File[C:\Program Files\SplunkUniversalForwarder/etc/system/local/server.conf]/owner

tamerz avatar Mar 28 '24 10:03 tamerz

After a little more research I can see the full user name and group name is NT SERVICE\SplunkForwarder as reported by Puppet.

tamerz avatar Mar 28 '24 14:03 tamerz

i am facing similar issues -

but i have legacy clients trying to update setting this param in hiera or equivalent seems to work for me albeit a bit janky

splunk::forwarder::splunk_user: 'NT SERVICE\SplunkForwarder'

not sure about "clean" installs yet

anthonysomerset avatar Aug 01 '24 09:08 anthonysomerset