Deploy secure passwords across multiple servers
At initial startup, Splunk creates a file
$SPLUNK_HOME/etc/auth/splunk.secret. This file contains a key used to encrypt some of your authentication information in configuration files:
web.conf: Your SSL passwords on every instance.
authentication.conf: Your LDAP passwords, if you have any.
inputs.conf: Your SSL passwords, if you use
outputs.conf:: Your SSL passwords, if you use
When Splunk starts, if it detects a clear-text password, in one of these settings, it will create or overwrite the configuration in the equivalent local folder with the encrypted password.
When deploying Splunk on multiple servers, you can do the following to encrypt these passwords and ensure that they are consistent across your deployment. You should perform these steps at initial deployment and also any time you need to deploy a new password for your instances:
1. Configure one Splunk instance and modify any passwords as necessary. (If this is a new configuration, do not start any other instances yet.)
2. Restart the configured instance to encrypt the passwords in the file. Password information is stored in clear text until it is encrypted at restart.
3. Copy the encrypted
splunk.secret file from your configured instance to all of your other instances.
4. Start all new instances to which you copied the file or restart existing instances if you are distributing a modified file after deployment.
To secure search head clustering
-secret attribute specifies the security key that authenticates communication between the cluster members and between each member and the deployer. This parameter is optional, but if you configure it for one member, you must configure it for all. The key must be the same across all cluster members and the deployer. See Set a secret key for the search head cluster in the Distributed Search manual.
Note: Splunk strongly recommends that you set a secret key.
splunk init shcluster-config -auth admin:changed -mgmt_uri https://sh1.ajax.com:8089 -replication_port 34567 -replication_factor 2 -conf_deploy_fetch_url https://10.160.31.200:8089 -secret mykey splunk restart
Once you have done this, for each instance run the
splunk init shcluster-config command and restart the instance:
splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret security_key splunk restart
Use the following step to copy
splunk.secret on an existing search head that is currently running:
$SPLUNK_HOME/etc/auth/splunk.secret to each of the search heads.
2. Copy the
sslKeysfilePassword attribute in the [sslConfig] stanza in $SPLUNK_HOME/etc/system/local/server.conf to each of the search heads.
3. Re-enter the passphrase for each search head.
4. Restart all search heads.
Secure your service accounts
Harden your KV store port
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15