Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Create a secure administrator password

When you install Splunk Enterprise, you should create a password for your administrator account. If you do not create the password during installation (for example, if you use the --no-prompt Splunk CLI argument for starting Splunk Enterprise, and also do not provide an administrator password in user-seed.conf), you must then create the administrator credentials manually for the instance to be accessible.

If you upgrade from an older version of Splunk Enterprise, the old administrator password is automatically used as the new administrator password.

Note that updates using splunkd REST commands require restart.

Note that the "oldpassword" argument must be passed in for user's own password change.

Create admin credentials after starting Splunk Enterprise

If you installed Splunk Enterprise and did not create the administrator password, you can use one of the following methods to create the credentials.

Create admin credentials with user-seed.conf

This is currently the most secure method to create the credentials. The other methods in this topic are faster or easier, but introduce security risks, mainly around access to command line history or process output.

  1. Edit $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows.
    [user_info]
    USERNAME = admin
    PASSWORD = <your password>
    
  2. Restart Splunk Enterprise.

Create admin credentials using REST

Administrators with access to the machine file system can create a user and enter a password using the splunkd rest --noauth command. This method is not secure, because the password appears in plain text in the command line history, unless you immediately delete the history after running the command.

$ splunk cmd splunkd rest 
--noauth POST /services/authentication/users 
"name=admin&password=<your password>&roles=admin"

Create admin credentials using the '--seed-passwd' or '--gen-and-print-passwd' CLI arguments

While this method is the fastest way to create the credentials, it is not secure because the password appears in command line history, process output (ps aux), and other items.

  • Create a password when you start Splunk Enterprise with the --seed-passwd argument:
$ splunk start --accept-license 
--answer-yes --no-prompt --seed-passwd <your password>
  • Generate a random password (the command prints the random password immediately):
$ splunk start --accept-license 
--answer-yes --no-prompt --gen-and-print-passwd

Create admin credentials for automated installations with the 'hash-passwd' CLI command

This method can be used in automated installations where user-seed.conf is saved and distributed to the newly installed instances.

This method is secure as long as you delete the command line history after completing the procedure.

  1. Create a hash from a plain-text password.
    splunk hash-passwd <your password>
    
  2. Copy the hash and place it into the user-seed.conf file. For example:
    $ splunk hash-passwd <your password>
    $6$hf3syG/qxy6REoBp...
    

    The output of the hash-passwd command can then be safely written in user-seed.conf.

    For example:

    [user_info]
    USERNAME = admin
    HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
  3. To validate a password and make sure it conforms to the password complexity requirements, you can use validate-passwd. For example:
    splunk validate-passwd <your password>
    cat passwd.txt | splunkd validate-passwd -
    $ splunk validate-passwd weakpas
    ERROR: Password did not meet complexity requirements. Password must contain at least:
       * 8 total printable ASCII character(s).
    

Reset a lost password

If you lose or forget the admin password, you can reset it. You must have the ability to write to the underlying password file ($SPLUNK_HOME/etc/passwd).

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>" 
Last modified on 22 August, 2018
 

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters