Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Deploy secure passwords across multiple servers

At initial startup, Splunk creates a file $SPLUNK_HOME/etc/auth/splunk.secret. This file contains a key used to encrypt some of your authentication information in configuration files:

  • web.conf: Your SSL passwords on every instance.
  • authentication.conf: Your LDAP passwords, if you have any.
  • inputs.conf: Your SSL passwords, if you use splunktcp-ssl.
  • outputs.conf:: Your SSL passwords, if you use splunktcp-ssl.

When Splunk starts, if it detects a clear-text password, in one of these settings, it will create or overwrite the configuration in the equivalent local folder with the encrypted password.

When deploying Splunk on multiple servers, you can do the following to encrypt these passwords and ensure that they are consistent across your deployment. You should perform these steps at initial deployment and also any time you need to deploy a new password for your instances:

1. Configure one Splunk instance and modify any passwords as necessary. (If this is a new configuration, do not start any other instances yet.)

2. Restart the configured instance to encrypt the passwords in the file. Password information is stored in clear text until it is encrypted at restart.

3. Copy the encrypted splunk.secret file from your configured instance to all of your other instances.

4. Start all new instances to which you copied the file or restart existing instances if you are distributing a modified file after deployment.

To secure search head clustering

The -secret attribute specifies the security key that authenticates communication between the cluster members and between each member and the deployer. This parameter is optional, but if you configure it for one member, you must configure it for all. The key must be the same across all cluster members and the deployer. See Set a secret key for the search head cluster in the Distributed Search manual.

Note: Splunk strongly recommends that you set a secret key.

For example:

splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.ajax.com:8089 -replication_port 34567 -replication_factor 2 -conf_deploy_fetch_url -secret mykey

splunk restart 

Once you have done this, for each instance run the splunk init shcluster-config command and restart the instance:

splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret security_key

splunk restart 

Use the following step to copy splunk.secret on an existing search head that is currently running:

1. Copy $SPLUNK_HOME/etc/auth/splunk.secret to each of the search heads.

2. Copy the sslKeysfilePassword attribute in the [sslConfig] stanza in $SPLUNK_HOME/etc/system/local/server.conf to each of the search heads.

3. Re-enter the passphrase for each search head.

4. Restart all search heads.

Last modified on 26 September, 2016
Secure your service accounts
Some best practices for your servers and operating system

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters