Splunk® Enterprise

Inherit a Splunk Enterprise Deployment

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Review your system security

Splunk software ships with a set of default certificates. The default certificates are generated and configured at startup and can be found in $SPLUNK_HOME/etc/auth/. Splunk recommends that administrators replace these default certificates with self- or third-party-signed certificates.

The following table describes the most common scenarios and the default SSL settings.

Type of exchange Client function Server function Encryption Certificate Authentication Common Name checking Type of data exchanged
Browser to Splunk Web Browser Splunk Web NOT enabled by default dictated by client (browser) dictated by client (browser) search term results
Inter-Splunk communication Splunk Web splunkd enabled by default NOT enabled by default NOT enabled by default search term results
Forwarding splunkd as a forwarder splunkd as an indexer NOT enabled by default NOT enabled by default NOT enabled by default data to be indexed
Deployment server to indexers splunkd as a forwarder splunkd as an indexer NOT enabled by default NOT enabled by default NOT enabled by default Not recommended. Use Pass4SymmKey instead.
Inter-Splunk communication splunkd as a deployment client splunkd as deployment server enabled by default NOT enabled by default NOT enabled by default configuration data
Inter-Splunk communication splunkd as a search head splunkd as search peer Enabled by default NOT enabled by default NOT enabled by default search data

Verify your SSL configurations

Splunk Web

Use the following command to verify your SSL connections in Splunk Web:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl

Indexer and forwarder

On the indexer, look for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000
02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3
02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL)
02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed
02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections

On the forwarder, look for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties
02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/aut/server.pem
02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997

Following is how a successful connection might appear in splunkd.log on the indexer:

02-06-2011 19:19:09.848 INFO TcpInputProc - Connection in cooked mode from 10.1.12.111
02-06-2011 19:19:09.854 INFO TcpInputProc - Valid signature found
02-06-2011 19:19:09.854 INFO TcpInputProc - Connection accepted from 10.1.12.111

Following is how a successful connection might appear in splunkd.log on the forwarder:

02-06-2011 19:19:09.927 INFO TcpOutputProc - attempting to connect to 10.1.12.112:9997...
02-06-2011 19:19:09.936 INFO TcpOutputProc - Connected to 10.1.12.112:9997

About securing distributed environments

Communication between search heads and peers uses public-key encryption.

At startup, Splunk software generates a private key and a public key on your Splunk installation. When you configure distributed search on the search head, the public keys are distributed by search heads to peers and those keys are used to secure communication. This default configuration provides built-in encryption as well as data compression that improves performance. See Distribute the key files in the Distributed Search Manual.

Public-key encryption for securing distributed configurations. However, it is possible to configure SSL for a search head cluster by configuring each member of the search head cluster. You can determine if your deployment has each member of the search head cluster configured for SSL by checking the attribute requireClientCert in server.conf. See Secure your deployment server and clients using certificate authentication in Securing Splunk Enterprise.

Encryption with the splunk.secret key

The splunk.secret file contains a key that collects and encrypts some of your authentication information in configuration files:

  • web.conf: SSL passwords on every instance
  • authentication.conf: LDAP passwords, if you have any
  • inputs.conf: SSL passwords, if you use splunktcp-ssl
  • outputs.conf: SSL passwords, if you use splunktcp-ssl
  • server.conf: pass4symmkey, if you have one

At initial startup, Splunk Enterprise creates this file at $SPLUNK_HOME/etc/auth/. Any passwords you create in the above list are stored in this file. If you manually add any unencrypted passwords, Splunk software will overwrite those passwords upon startup.

More information

Last modified on 07 July, 2017
Users, roles, and authentication   Learn about licensing

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters