Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Use network access control lists to protect your deployment

You can limit network access to your Splunk Enterprise deployment by using access control lists in configuration files to restrict incoming network traffic to deployment components such as indexers and search heads.

Splunk Cloud Platform has security safeguards in place that limit access to nearly all components except for Splunk Web from external networks. You can also configure which addresses on your network have access to components of Splunk Cloud Platorm using the Splunk Cloud Platform Admin Config Service (ACS) API.

Configure network access control lists (ACLs) in Splunk Cloud Platform

To learn about how to use the Splunk Cloud Platform ACS API to limit network access to your Splunk Cloud Platform instance, see Configure IP allow lists for Splunk Cloud Platform.

Configure network ACLs in Splunk Enterprise

To configure ACLs to protect a Splunk Enterprise deployment, you use the server.conf and inputs.conf configuration files to specify the network IP addresses that the deployment can accept or reject for various communications.

When you configure an ACL, you supply one or more IP addresses to determine what the instance is to accept or reject. You separate multiple addresses with either commas or spaces. You can provide the addresses in the following formats:

  • A single IPv4 or IPv6 address. For example: 10.1.2.3, fe80::4a3.
  • A Classless Inter-Domain Routing (CIDR) block of addresses. For example: 10/8, fe80:1234/32.
  • A DNS name, possibly with an * used as a wildcard, for example: myhost.example.com, *.splunk.com.
  • A single * which matches anything (this is the default value).

To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with !, the exclamation point.

The Splunk deployment applies the rules in order, and uses the first one that matches. For example, !10.1/16, * lets connections in from everywhere except the 10.1.*.* network.

Where to configure network ACLs in Splunk Enterprise

You can secure IP addresses for the following connections by editing the [Accept from] value:

  • To instruct a node to only accept replicated data from other nodes with specific IPs, edit the httpServer stanza in the server.conf configuration file.
    If you set this setting, you must confirm that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing the server.conf file, see server.conf.
  • To restrict TCP communications to specific IP addresses, edit the tcp stanza in the inputs.conf file. Be careful, as changes in this file overwrite the output values in the server.conf file if there are conflicts.
  • To restrict TCP communications that use Secure Sockets Layer (SSL) to specific IP addresses, edit the tcp-ssl stanza in the inputs.conf file.
  • To configure your indexer to accept data only from forwarders with specific IP addresses, edit the splunktcp stanza in the inputs.conf file on the indexer where you want to restrict the access. This prevents outside actors from setting up a machine to act like a forwarder and possibly corrupting your data.
  • If you secure your forwarder-to-indexer communications with SSL, edit the splunktcp-ssl stanza in the inputs.conf file on the indexer to instruct it to only accept data from forwarders with specific IP addresses.
  • To restrict User Datagram Protocol (UDP) communications to specific IP addresses, edit the UDP stanza in the inputs.conf file.

For more information about editing the inputs.conf, see the specification file for inputs.conf.

Last modified on 14 December, 2021
PREVIOUS
Secure access for Splunk knowledge objects
  NEXT
Set up native Splunk authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters