Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Use Access Control Lists

To help secure your Splunk configuration, use the Splunk Enterprise Access Control Lists (ACLs) to limit the IP addresses that can access various parts of your networks.

To configure ACLs, you edit server.conf and inputs.conf to specify the IP addresses that will be accepted or rejected for various communications.

How to set up ACLs

The addresses are separated by commas or spaces. You can provide the addresses in the following formats:

  • A single IPv4 or IPv6 address. For example: 10.1.2.3, fe80::4a3.
  • A CIDR block of addresses. For example: 10/8, fe80:1234/32.
  • A DNS name, possibly with an * used as a wildcard, for example: myhost.example.com, *.splunk.com.
  • A single * which matches anything (this is the default value).

To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with '!'.

Rules are applied in order, and the first one to match is used. For example, !10.1/16, * will allow connections from everywhere except the 10.1.*.* network.

Where to set up ACLs

You can secure IP addresses for the following connections by editing the [Accept from] value:

  • To instruct a node to only accept replicated data from other nodes with specific IPs, edit the httpServer stanza in server.conf.
    If you set this attribute, you must make sure that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing server.conf, see server.conf.
  • To restrict TCP communications to specific IP addresses, edit the tcp stanza in inputs.conf. Be careful, as this will overwrite the output values in server.conf if the information conflicts.
  • To restrict TCP communications that use SSL to specific IP addresses, edit the tcp-ssl stanza in inputs.conf.
  • To restrict your indexer to accept data only from forwarders with specific IP addresses, edit the splunktcp stanza in inputs.conf. This prevents someone from spoofing your forwarders and possibly corrupting your data.
  • If your forwarder to indexer communications are secured with SSL, edit the splunktcp-ssl stanza in inputs.conf to restrict your indexer to only accept data from forwarders with specific IP addresses.
  • To restrict UDP communications to specific IP addresses, edit the UDP stanza in inputs.conf.

For more information about editing inputs.conf, see inputs.conf

PREVIOUS
Secure access for Splunk knowledge objects
  NEXT
Set up Splunk authentication

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters