search

voxpupuli / puppet-splunk

Manage Splunk servers and forwarders using Puppet
https://forge.puppet.com/puppet/splunk
Apache License 2.0
40 stars 121 forks source link

Wrong Splunk Forwarder user on Windows #369

Open Tamerz opened 6 months ago

Tamerz commented 6 months ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

include puppet::forwarder

What are you seeing

The Linux package uses splunkfwd as the default user and group names. On Windows, SplunkForwarder is used for the user and group names. This causes the module to fail setting file permissions.

What behaviour did you expect instead

Output log

change from 'NT AUTHORITY\SYSTEM' to 'splunkfwd' failed: Could not find user splunkfwd

    Source: /Stage[main]/Splunk::Forwarder::Config/File[C:\Program Files\SplunkUniversalForwarder/etc/system/local/server.conf]/owner
Tamerz commented 6 months ago

After a little more research I can see the full user name and group name is NT SERVICE\SplunkForwarder as reported by Puppet.

anthonysomerset commented 2 months ago

i am facing similar issues -

but i have legacy clients trying to update setting this param in hiera or equivalent seems to work for me albeit a bit janky

splunk::forwarder::splunk_user: 'NT SERVICE\SplunkForwarder'

not sure about "clean" installs yet