When running SPlunkUF in LowPriv you will sometimes have to give READ rights to folders that SplunkUF wants to collect data from.. for example IIS log folders.
Example script:
$csvFilePath = "c:\users\myuser\desktop\test_host.csv" $serviceAccountName = "NT SERVICE\SplunkForwarder" $permission = "Read, ReadAndExecute, Synchronize" $foo = Import-Csv -Path $csvFilePath -Delimiter "," ForEach ($Myhost in $foo) { $targetHost = ($Myhost).Hosts $folderPaths = ($Myhost).FolderPaths -split ';' Write-host "Working in: "$targetHost $session1 = New-PSSession -ComputerName $targetHost foreach ($targetFolderPath in $folderPaths) { Write-host "- Checking: "$targetFolderPath $subfolders = Invoke-Command -Session $session1 -ArgumentList $targetFolderPath -ScriptBlock{param($targetFolderPath) Get-ChildItem -Path $targetFolderPath -Recurse | where {$_.Attributes -eq "directory"} | select -ExpandProperty fullname} Invoke-Command -Session $session1 -ArgumentList $targetFolderPath, $serviceAccountName, $permission -ScriptBlock{param($targetFolderPath, $serviceAccountName, $permission) $acl = Get-Acl -Path $TargetFolderPath; $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($serviceAccountName, $permission, 'ContainerInherit,ObjectInherit', 'None', 'Allow'); $acl.AddAccessRule($accessRule) Set-Acl -Path $TargetFolderPath -AclObject $Acl }; foreach ($subfolder in $subfolders) { Write-host "- - Checking: "$subfolder Invoke-Command -Session $session1 -ArgumentList $subfolder, $serviceAccountName, $permission -ScriptBlock{param($subfolder, $serviceAccountName, $permission) $acl = Get-Acl -Path $subfolder; $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($serviceAccountName, $permission, 'ContainerInherit,ObjectInherit', 'None', 'Allow'); $acl.AddAccessRule($accessRule) Set-Acl -Path $subfolder -AclObject $Acl}; } } Invoke-Command -Session $session1 -ScriptBlock{Restart-Service -Name splunkforwarder} Remove-PSSession -Session $session1; }
Format of .csv fil
Hosts,FolderPaths Host1,C:\inetpub\logs\LogFiles\;D:\inetpub\logs\LogFiles\ Host2,C:\inetpub\logs\LogFiles\;D:\inetpub\logs\LogFiles\ Host3,C:\inetpub\logs\LogFiles\;D:\inetpub\logs\LogFiles\ Host4,C:\inetpub\logs\LogFiles\;D:\inetpub\logs\LogFiles\