Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Use Access Control Lists

To help secure your Splunk configuration, use the Splunk Enterprise Access Control Lists (ACLs) to limit the IP addresses that can access various parts of your networks.

To configure ACLs, you edit server.conf and inputs.conf to specify the IP addresses that will be accepted or rejected for various communications.

How to set up ACLs

The addresses are separated by commas or spaces. You can provide the addresses in the following formats:

  • A single IPv4 or IPv6 address. For example:, fe80::4a3.
  • A CIDR block of addresses. For example: 10/8, fe80:1234/32.
  • A DNS name, possibly with an * used as a wildcard, for example: myhost.example.com, *.splunk.com.
  • A single * which matches anything (this is the default value).

To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with '!'.

Rules are applied in order, and the first one to match is used. For example, !10.1/16, * will allow connections from everywhere except the 10.1.*.* network.

Where to set up ACLs

You can secure IP addresses for the following connections by editing the [Accept from] value:

  • To instruct a node to only accept replicated data from other nodes with specific IPs, edit the httpServer stanza in server.conf.
    If you set this attribute, you must make sure that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing server.conf, see server.conf.
  • To restrict TCP communications to specific IP addresses, edit the tcp stanza in inputs.conf. Be careful, as this will overwrite the output values in server.conf if the information conflicts.
  • To restrict TCP communications that use SSL to specific IP addresses, edit the tcp-ssl stanza in inputs.conf.
  • To restrict your indexer to accept data only from forwarders with specific IP addresses, edit the splunktcp stanza in inputs.conf. This prevents someone from spoofing your forwarders and possibly corrupting your data.
  • If your forwarder to indexer communications are secured with SSL, edit the splunktcp-ssl stanza in inputs.conf to restrict your indexer to only accept data from forwarders with specific IP addresses.
  • To restrict UDP communications to specific IP addresses, edit the UDP stanza in inputs.conf.

For more information about editing inputs.conf, see inputs.conf

Last modified on 21 June, 2016
Secure access for Splunk knowledge objects
Set up Splunk authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters