Use network access control lists to protect your Splunk Enterprise deployment
Splunk Cloud has security safeguards in place that limit access to nearly all components except for Splunk Web from external networks. To help secure your Splunk Enterprise deployment in a similar fashion, you can use network access control lists (ACLs) to limit the network addresses that can access the deployment.
To configure ACLs to protect a Splunk Enterprise deployment, you use the
inputs.conf configuration files to specify the network IP addresses that the deployment can accept or reject for various communications.
How to set up network ACLs
When you configure an ACL, you supply one or more IP addresses to determine what the instance is to accept or reject. You separate multiple addresses with either commas or spaces. You can provide the addresses in the following formats:
- A single IPv4 or IPv6 address. For example:
- A Classless Inter-Domain Routing (CIDR) block of addresses. For example:
- A DNS name, possibly with an * used as a wildcard, for example:
- A single
*which matches anything (this is the default value).
To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with
!, the exclamation point.
The Splunk deployment applies the rules in order, and uses the first one that matches. For example,
!10.1/16, * lets connections in from everywhere except the 10.1.*.* network.
Where to set up network ACLs
You can secure IP addresses for the following connections by editing the
[Accept from] value:
- To instruct a node to only accept replicated data from other nodes with specific IPs, edit the
httpServerstanza in the
If you set this setting, you must confirm that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing the server.conf file, see server.conf.
- To restrict TCP communications to specific IP addresses, edit the
tcpstanza in the
inputs.conffile. Be careful, as changes in this file overwrite the output values in the
server.conffile if there are conflicts.
- To restrict TCP communications that use Secure Sockets Layer (SSL) to specific IP addresses, edit the
tcp-sslstanza in the
- To configure your indexer to accept data only from forwarders with specific IP addresses, edit the
splunktcpstanza in the
inputs.conffile on the indexer where you want to restrict the access. This prevents outside actors from setting up a machine to act like a forwarder and possibly corrupting your data.
- If you secure your forwarder-to-indexer communications with SSL, edit the
splunktcp-sslstanza in the
inputs.conffile on the indexer to instruct it to only accept data from forwarders with specific IP addresses.
- To restrict User Datagram Protocol (UDP) communications to specific IP addresses, edit the
UDPstanza in the
For more information about editing the
inputs.conf, see the specification file for inputs.conf.
Secure access for Splunk knowledge objects
Set up Splunk authentication
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3