Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure Splunk password policies

You can use the Password Policy Management page in Splunk Web to create a password policy for the users of your Splunk platform instance. Password policies set standards and minimum requirements for complexity.

Password policies for clustered search heads

On search head clusters, password policies apply to each individual search head. This means that the number of search heads in the cluster directly affects the number of potential login attempts. For example, if you set a "Failed login attempts" of 5 and there are 3 clustered search heads in the deployment, a user could potentially have up to 15 login attempts before the Splunk platform locks out their account.

Configure Splunk password policies

Follow this procedure to set password policy for your Splunk platform instance.

Password policy management applies to the native Splunk authentication scheme only. It does not apply to the Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML) authentication schemes, or any scheme that relies on external authentication. In those cases, use the password configuration tools for your identity provider to set password policy.

  1. In Splunk Web, select Settings > Password Management.
  2. In the Minimum characters field, specify the minimum number of characters to require for user passwords. The maximum number of characters Splunk software supports is 256. The default value is 8.
  3. In the Numeral field, specify the number of digits to require for user passwords. A best practice is to require at least one number and to not allow passwords that are all numbers. The default is 0.
  4. In the Lowercase field, specify the number of lowercase letters to require for user passwords. A best practice is to require require at least one lowercase letter. The default is 0.
  5. In the Uppercase field, specify the number of uppercase letters to require for user passwords. A best practice is to require at least one uppercase letter. The default is 0.
  6. In the Special character field, specify the number of special characters to require for user passwords. A best practice is to require at least one special character. A user can create a password with any printable ASCII characters. The default is 0.
  7. Check Force existing users to change weak passwords to make existing users upgrade passwords to meet the requirements specified on this page.
  8. Enable Expiration to force a user to change their password after the specified period of time.
  9. In the Days until password expires field, specify the number of days until the user must change their password.
  10. In the Expiration alert in days field, specify the number of days before expiration that warnings appear.
  11. Enable Lockout to lock a user out of the system after a certain number of failed login attempts.
  12. In the Failed login attempts field, specify how many failed login attempts a user can make before they are locked out. The default is 5.
  13. In the Lockout threshold in minutes field, specify the number of minutes between the time of the first failed login until the failed login attempt counter resets.
  14. In the Lockout duration in minutes field, specify how many minutes the user must wait before they can attempt to log in again. The default value is 30 minutes.
  15. Enable History to prevent users from reusing previous passwords. Note that if you disable this value and enable it later, previously saved password history is preserved. Delete $SPLUNK_HOME/etc/opasswd to remove the password history.
  16. In the Password History Count field, specify the number of previous passwords that may not be reused. The default is 24.
  17. Select Save.

Your new password requirements come into effect immediately. Splunk Web and the Splunk platform enforce the requirements on the Set Password field in the Create User page.

Last modified on 04 May, 2024
Password best practices for administrators   Configure a Splunk Enterprise password policy using the Authentication.conf configuration file

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters