Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Turn on encryption (https) with Splunk Web

This topic explains how to use Splunk Web to enable HTTPS for browser to Splunk Web communication. Splunk software can listen on HTTPS or HTTP, but not both.

The simple encryption that can be turned on in Splunk Web uses the default certificate that is provided in the "out of box" installation. Since every installation provides the same default certificate, this method is not highly secure. If security is a priority, change the default certificate and configure authentication for better security. See Secure Splunk Web with your own certificate for information about replacing the default certificates.

To enable HTTPS with Splunk Web:

1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.

2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button.

By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.

3. Restart Splunk Web.

You must now prepend "https://" to the URL you use to access Splunk Web.

About securing Splunk Web
Turn on encryption (https) using web.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Hi all, I've removed the code sample from this topic. I agree the code sample is very confusing (and the path is wrong) and it is not the same for every configuration. It is also simply informational and not meant to be edited, so I don't really think it adds much value to the topic, especially considering how much confusion it causes. If you would like to review the web.conf default configurations, you can look here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf

Jworthington splunk, Splunker
February 17, 2016

Making changes to /system/default .. That's a paddlin' !

February 16, 2016

Directory for web.conf is incorrect.

Should be $SPLUNK_HOME/etc/system/default/web.conf

February 10, 2016

In Version 6.3.0 of Splunk, settings in $SPLUNK_HOME/etc/system/local/web.conf override the settings of $SPLUNK_HOME/etc/system/default/web.conf.

Settings not listed in (aka overridden by) $SPLUNK_HOME/etc/system/local/web.conf are still from read from $SPLUNK_HOME/etc/system/default/web.conf.

Hence, not all the settings as shown below (and in point 2. above) may be visible in $SPLUNK_HOME/etc/system/local/web.conf. For me, privKeyPath and caCertKeyPath are being read from $SPLUNK_HOME/etc/system/default/web.conf when enabling HTTPS in splunk web while still using self-signed certs. The default enableSplunkWebSSL of False in $SPLUNK_HOME/etc/system/default/web.conf is being overwritten by $SPLUNK_HOME/etc/system/local/web.conf.

enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/privkey.pem
caCertPath = etc/auth/splunkweb/cert.pem

October 11, 2015

You can not bind to a port < 1024 as a non-root user in GNU Linux. If you're not using a proxy or load balancer and don't want to specify a port number in the URL (i.e. you would prefer to use port 80 or in this case 443), this can cause some problems. To resolve, simply bind to 8443 (or something else above 1024) and then NAT to 443 to work around this issue.

In $SPLUNK_HOME/etc/system/local/web.conf


As root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables save

April 30, 2015

Step 2 -Splunk is already set to point to the default certificates when encryption is turned on. The following default configuration can be found in $SPLUNK_HOME/etc/auth/web.conf . The path to web.conf is wrong. Please refer to correct path as specified in this 5.0.7 link:<br />http://docs.splunk.com/Documentation/Splunk/5.0.7/Security/Turnonbasicencryptionusingweb.conf

February 7, 2014

Hi Rfrey,<br /><br />Thanks for your input! If you are interested in learning more about working as a non-root user, we have some additional documentation about it here: http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser<br /><br />Hope that helps,<br />Jen

Jworthington splunk
November 4, 2013

You can not bind to < 1024 as a non-root user in GNU Linux. Since most people want don't want to specify a port number in the URL and would prefer to use port 443, this can cause some problems. From what I understand most people bind to 8443 (or something else above 1024) and then NAT to 443 to work around this issue.<br /><br />In $SPLUNK_HOME/etc/system/local/web.conf<br /><br />[settings]<br />httpport=8443<br /><br /><br />As root:<br /><br />iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443<br />iptables-save

November 4, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters