Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Create secure administrator credentials

When you install Splunk Enterprise, you must create a user name and password for your administrator account. If you do not specify any arguments when you install the software, it prompts you to create a user name and a password during the installation process.

If you do not create the password during installation, an unusable installation can occur. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting Splunk Enterprise and also do not provide an administrator password in user-seed.conf. In such a case, you must create the administrator credentials manually for the instance to be accessible.

If you upgrade from an older version of Splunk Enterprise, the installation uses the old administrator credentials.

Create admin credentials after starting Splunk Enterprise

If you installed Splunk Enterprise and did not create the administrator credentials, you can use one of the following methods to create the credentials.

Create admin credentials with user-seed.conf

This is currently the most secure method to create administrative credentials. Other methods can introduce security risks, mainly around access to command line history or process output.

  1. Edit the $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows:
    [user_info]
    USERNAME = admin
    PASSWORD = <your password>
    
  2. Restart Splunk Enterprise.

Create admin credentials using REST

Administrators with access to the machine file system can create a user and enter a password using the splunkd rest --noauth command.

This method is not secure because the password appears in plain text in the command line history unless you immediately delete the history after running the command.

You must restart Splunk Enterprise after using splunkd REST commands.

$ splunk cmd splunkd rest 
--noauth POST /services/authentication/users 
"name=admin&password=<your password>&roles=admin"

Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments

This method of creating the credentials is not secure because the password appears in the command line history, process output (ps aux), and other items. Splunk Enterprise does not prompt you to create an administrator username in these cases, and instead uses the default of admin.

  • Create a password when you start Splunk Enterprise with the --seed-passwd argument:
splunk start --accept-license 
--answer-yes --no-prompt --seed-passwd <your password>
  • Generate a random password and print the random password immediately:
splunk start --accept-license 
--answer-yes --no-prompt --gen-and-print-passwd

Create admin credentials for automated installations with the 'hash-passwd' CLI command

You can use this method in automated installations where you save and distribute user-seed.conf to the newly installed instances.

This method is secure as long as you delete the command line history after completing the procedure.

  1. Create a hash from a plain-text password.
    splunk hash-passwd <plaintext password>
    
  2. Copy the hash and place it into the user-seed.conf file. For example:
    $ splunk hash-passwd <your password>
    $6$hf3syG/qxy6REoBp...
    

    You can then be safely write the output of the hash-passwd command in user-seed.conf.

    For example:

    [user_info]
    USERNAME = admin
    HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
  3. To validate a password and make sure it conforms to the password complexity requirements, you can use validate-passwd. For example:
    splunk validate-passwd <your password>
    cat passwd.txt | splunkd validate-passwd -
    $ splunk validate-passwd weakpas
    ERROR: Password did not meet complexity requirements. Password must contain at least:
       * 8 total printable ASCII character(s).
    

Reset a lost password

If you lose or forget the admin password, you can reset it. You must have the ability to write to the underlying password file ($SPLUNK_HOME/etc/passwd).

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

You must restart Splunk Enterprise after making this change.

PREVIOUS
Install Splunk Enterprise securely
  NEXT
About TLS encryption and cipher suites

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0


Comments

JoeJack, I see the same issues you do. I ended up using this command and then restarting the splunk server (splunk stop followed by splunk start):

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

Hptechnician
November 9, 2018

Joejack, you'll need to ask your Service Desk for the correct credentials to use for the corporate system. These credentials will differ from those that you created in the past for a local Splunk Enterprise installation on which you had admin privileges.

Andrewb splunk, Splunker
October 8, 2018

I'm at the Splunk Enterprise "First time signing in" screen, and the admin password I'd previously created isn't working. I click on "First time signing in?" link, but there is no response. I do not know where to go to navigate the above commands, as my Service Desk downloaded this to my PC.

Joejack
October 5, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters