Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Edit authentication.conf

To integrate your authentication system with your Splunk deployment, make sure the authentication system is running and then do the following:

1. Create and test a Python authentication script. See "Create the authentication script" for the procedure.

2. Edit authentication.conf to enable your authentication script. See "Enable your script" in this topic.

3. Edit authentication.conf to set your cache duration. See "Set cache durations" in this topic.

Enable your script

Once you create a Python script to implement authentication, you update the authentication.conf in $SPLUNK_HOME/etc/system/local/ to enable your script. You can also copy and edit a sample authentication.conf from $SPLUNK_HOME/share/splunk/authScriptSamples/.

Specify Scripted as your authentication type under the [authentication] stanza heading:

[authentication]
authType = Scripted
authSettings = script

Set script variables under the [script] stanza heading. For example:

[script]
scriptPath = $SPLUNK_HOME/bin/python $SPLUNK_HOME/bin/<scriptname.py>

Set cache durations

To significantly speed authentication performance when using scripted authentication, enable Splunk authentication caching. You do so by adding the optional [cacheTiming] stanza. Each script function (except getSearchFilter) has a settable cacheTiming attribute, which turns on caching for that function and specifies its cache duration. For example, to specify the cache timing for the getUserInfo function, use the getUserInfoTTL attribute. Caching for a function occurs only if its associated attribute is specified.

The cacheTiming settings specify the frequency at which Splunk software calls your script to communicate with the external authentication system. You can specify time in seconds (s), minutes (m), hours (h), days (d), etc. Typically, you'll limit the cache frequency to seconds or minutes. If a unit is not specified, the value defaults to seconds. So, a value of "5" is equivalent to "5s".

This example shows typical values for the caches:

[cacheTiming]
userLoginTTL    = 10s
getUserInfoTTL  = 1m
getUsersTTL     = 2m

You'll want to set userLoginTTL to a low value, since this determines how long user login/password validity is cached.

To refresh all caches immediately, use the CLI command reload auth:

./splunk reload auth

Note: This command does not boot current users off the system.

You can also refresh caches in Splunk Web:

1. In the System menu, under Users and authentication select Access controls.

2. Click Authentication method.

3. Click Reload authentication configuration to refresh the caches.

Each specified function, except getUsers, has a separate cache for each user. So, if you have 10 users logged on and you've specified the getUserInfoTTL attribute, the getUserInfo function will have 10 user-based caches. The getUsers function encompasses all users, so it has a single, global cache.

Last modified on 10 September, 2022
Create the authentication script   Use PAM authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters