Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create secure administrator credentials

When you install Splunk Enterprise, you must create a username and password for the administrator account. Your Splunk Enterprise instance isn't accessible without this account.

You have the option of creating this account as part of running the Splunk Enterprise installer. This is the fastest way to create these necessary credentials when you install Splunk Enterprise. The installer lets you specify command line arguments that let you create the credentials. If you do not specify these arguments when you run the installer, it prompts you to create a username and a password later in the installation process.

If you upgrade from an older version of Splunk Enterprise, the installer uses existing administrator credentials and doesn't ask you to create new ones.

Create administrator credentials after you install Splunk Enterprise

The Splunk Enterprise installer needs action from you to create administrator credentials. You must do one of the following:

  1. Provide credentials as command-line arguments to the installer when you run the installer
  2. Supply the password in a configuration file that the installer can read during the installation process
  3. Answer the prompts during the installation process when they appear

If you do not create the password during the installation process using one of these methods, it's possible to end up with a temporarily unusable instance. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting a Splunk Enterprise installation and at the same time do not provide an administrator password in the user-seed.conf configuration file inside the installation. In this case, the installer doesn't prompt you to create an administrator account, and since you did not specify a password, the installer succeeds in installing the software, but does not create the administrator credentials.

In this case, you must create the administrator credentials manually for the instance to be accessible again.

If you installed Splunk Enterprise and did not create the administrator credentials, you can use one of the following methods to create the credentials. All of these methods require physical access to the machine that runs the instance.

Create administrator credentials with the user-seed.conf configuration file

You can create administrator credentials using the user-seed.conf configuration file. This is currently the most secure method to create administrative credentials. Other methods can introduce security risks, mainly around access to command line history or process output.

  1. Edit the $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows:
    [user_info]
    USERNAME = admin
    PASSWORD = <your password>
    
  2. Restart Splunk Enterprise.

Create administrator credentials using the REST API

You can create credentials using the splunkd rest --noauth command. This method is a potential security risk unless you immediately delete the command line history after you run the command. Tis is because the password appears in plain text in the command line history.

You must restart Splunk Enterprise after using splunkd REST commands.

$ splunk cmd splunkd rest 
--noauth POST /services/authentication/users 
"name=admin&password=<your password>&roles=admin"

Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments

You can use the --seed-passwd or --gen-and-print-passwd CLI arguments to create administrator credentials. This method of is a potential security risk because the password appears in the command line history, process output (ps aux), and other items. Deleting the command line history can reduce this potential risk.

  • Create a password when you start Splunk Enterprise with the --seed-passwd argument:
splunk start --accept-license 
--answer-yes --no-prompt --seed-passwd <your password>
  • Generate a random password and print the random password immediately:
splunk start --accept-license 
--answer-yes --no-prompt --gen-and-print-passwd

Create administrator credentials for automated installations with the 'hash-passwd' CLI command

You can use this method in automated installations where you save and distribute the user-seed.conf file to other instances. In most cases, you place the user-seed.conf file in the $SPLUNK_HOME/etc/system/local directory on these instances.

This method is potentially a security risk because the password appears in plain text in the command line history. Deleting the the command line history after you complete the procedure can reduce this risk.

  1. Create a hash from a plain-text password.
    splunk hash-passwd <plaintext password>
    
  2. Copy the password hash that the command generates.
  3. Using a text editor, open the $SPLUNK_HOME/etc/system/local/user-seed.conf for editing.
  4. Place the password hash into the user-seed.conf file. For example:
    $ splunk hash-passwd <your password>
    $6$hf3syG/qxy6REoBp...
    

    You can then safely write the output of the hash-passwd command into the user-seed.conf configuration file.

    For example:

    [user_info]
    USERNAME = admin
    HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
  5. Save the file and close it.
  6. Restart the Splunk Enterprise instance.

Validate a password

To validate a password and confirm that it conforms to the password complexity requirements, you can use the splunk validate-passwd CLI command.

For example:

splunk validate-passwd <your password>
cat passwd.txt | splunk validate-passwd -
$ splunk validate-passwd weakpas
ERROR: Password did not meet complexity requirements. Password must contain at least:
   * 8 total printable ASCII character(s).

Reset credentials

If you lose or forget administrator credentials, you can reset the password. You must be able to write to the underlying password file ($SPLUNK_HOME/etc/passwd). You must restart Splunk Enterprise after making this change.

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

Delete the command line history after you run this command.

Last modified on 30 April, 2024
Install Splunk Enterprise securely   About TLS encryption and cipher suites

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters