
Use Access Control Lists
To help secure your Splunk configuration, use the Splunk Enterprise Access Control Lists (ACLs) to limit the IP addresses that can access various parts of your networks.
To configure ACLs, you edit server.conf
and inputs.conf
to specify the IP addresses that will be accepted or rejected for various communications.
How to set up ACLs
The addresses are separated by commas or spaces. You can provide the addresses in the following formats:
- A single IPv4 or IPv6 address. For example:
10.1.2.3, fe80::4a3
. - A CIDR block of addresses. For example:
10/8, fe80:1234/32
. - A DNS name, possibly with an * used as a wildcard, for example:
myhost.example.com, *.splunk.com
. - A single
*
which matches anything (this is the default value).
To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with '!'.
Rules are applied in order, and the first one to match is used. For example, !10.1/16, *
will allow connections from everywhere except the 10.1.*.* network.
Where to set up ACLs
You can secure IP addresses for the following connections by editing the [Accept from]
value:
- To instruct a node to only accept replicated data from other nodes with specific IPs, edit the
httpServer
stanza inserver.conf
.
If you set this attribute, you must make sure that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing server.conf, see server.conf.
- To restrict TCP communications to specific IP addresses, edit the
tcp
stanza ininputs.conf
. Be careful, as this will overwrite the output values inserver.conf
if the information conflicts.
- To restrict TCP communications that use SSL to specific IP addresses, edit the
tcp-ssl
stanza ininputs.conf
.
- To restrict your indexer to accept data only from forwarders with specific IP addresses, edit the
splunktcp
stanza ininputs.conf
. This prevents someone from spoofing your forwarders and possibly corrupting your data.
- If your forwarder to indexer communications are secured with SSL, edit the
splunktcp-ssl
stanza ininputs.conf
to restrict your indexer to only accept data from forwarders with specific IP addresses.
- To restrict UDP communications to specific IP addresses, edit the
UDP
stanza ininputs.conf
.
For more information about editing inputs.conf
, see inputs.conf
PREVIOUS Secure access for Splunk knowledge objects |
NEXT Set up Splunk authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1
Feedback submitted, thanks!