Secure Splunk Enterprise service accounts

Splunk Enterprise runs in the context of a user account on the machine where you installed the software. For an improved security profile, practice the principle of least privilege by running Splunk Enterprise as a user with low privileges rather than using a privileged account such as root or Administrator.

To apply the principle of least privilege in Splunk Enterprise operations:

• On Unix or Linux, use the "splunk" user that the Splunk .pkg and .rpm installation packages create. Alternatively, create a non-privileged user that has access to and ownership of the $SPLUNK_HOME directory
• On Windows, the Local System user is the only available choice to run Splunk Enterprise currently. If you require access to files or directories over a network or communication using a service such as Windows Management Instrumentation, install a universal forwarder and specify a standard Windows account when you perform the installation. Restrict access to that account only to the things you need to monitor. If necessary, you can run a UF alongside your Splunk Enterprise for Windows instance to collect and forward data locally. See Choose the Windows user Splunk Enterprise should run as