Configure Splunk for IPv6
This topic discusses Splunk's support for IPv6 and how to configure it. Before following the procedures in this topic, you may want to review:
- "About configuration files" in this manual to learn about how Splunk's configuration files work
- "Get data from TCP and UDP ports" in the Getting Data In manual
- "server.conf" in this manual to see the reference of options available in the
server.conf
configuration file - "inputs.conf" in this manual to see the reference of options available in the
inputs.conf
configuration file
Starting in version 4.3, Splunk supports IPv6. Users can connect to Splunk Web, use the CLI, and forward data over IPv6 networks.
IPv6 platform support
All Splunk-supported OS platforms (as described in "Supported OSes" in the Installation Manual) are supported for use with IPv6 configurations except for the following:
- HPUX PA-RISC
- Solaris 8, and 9
- AIX
Configure Splunk to listen on an IPv6 network
You have a few options when configuring Splunk to listen over IPv6. You can configure Splunk to:
- connect to IPv6 addresses only and ignore all IPv4 results from DNS
- connect to both IPv4 and IPv6 addresses and
- try the IPv6 address first
- try the IPv4 address first
- connect to IPv4 addresses only and ignore all IPv6 results from DNS
To configure how Splunk listens on IPv6:
Edit a copy of server.conf
in $SPLUNK_HOME/etc/system/local
to add the following:
listenOnIPv6=[yes|no|only]
yes
means that splunkd will listen for connections from both IPv6 and IPv4.no
means that splunkd will listen on IPv4 only, this is the default setting.only
means that Splunk will listen for incoming connections on IPv6 only.
connectUsingIpVersion=[4-first|6-first|4-only|6-only|auto]
4-first
means splunkd will try to connect to the IPv4 address first and if that fails, try IPv6.6-first
is the reverse of4-first
. This is the policy most IPv6-enabled client apps like web browsers take, but can be less robust in the early stages of IPv6 deployment.4-only
means that splunkd will ignore any IPv6 results from DNS.6-only
means that splunkd will Ignore any IPv4 results from DNS.auto
means that splunkd picks a reasonable policy based on the setting oflistenOnIPv6
. This is the default value.- If splunkd is listening only on IPv4, this behaves as though you specified
4-only
. - If splunkd is listening only on IPv6, this behaves as though you specified
6-only
. - If splunkd is listening on both, this behaves as though you specified
6-first
.
- If splunkd is listening only on IPv4, this behaves as though you specified
Important: These settings only affect DNS lookups. For example, a setting of connectUsingIpVersion = 6-first
will not prevent a stanza with an explicit IPv4 address (like "server=10.1.2.3:9001") from working.
If you have just a few inputs and don't want to enable IPv6 for your entire deployment
If you've just got a few data sources coming over IPv6 but don't want to enable it for your entire Splunk deployment, you can add the listenOnIPv6
setting described above to any [udp], [tcp], [tcp-ssl], [splunktcp]
, or [splunktcp-ssl]
stanza in inputs.conf
. This overrides the setting of the same name in server.conf
for that particular input.
Forwarding data over IPv6
Your Splunk forwarders can forward over IPv6; the following are supported in outputs.conf
:
- The
server
setting in[tcpout]
stanzas can include IPv6 addresses in the standard[host]:port
format. - The
[tcpout-server]
stanza can take an IPv6 address in the standard[host]:port
format. - The
server
setting in[syslog]
stanzas can include IPv6 addresses in the standard[host]:port
format.
Distributed search configuration for IPv6
Your Splunk distributed search deployment can use IPv6; the following are supported in distsearch.conf
:
- The
servers
setting can include IPv6 addresses in the standard[host]:port
format - However,
heartbeatMcastAddr
has not been updated to support IPv6 addresses; this setting is deprecated in Splunk 4.3 and will be removed from the product in a future release.
Access to Splunk Web over IPv6
If your network policy allows or requires IPv6 connections from web browsers, you can configure the splunkweb service to behave differently than splunkd. Starting in 4.3, web.conf
supports a listenOnIPv6
setting. This setting behaves exactly like the one in server.conf
described above, but applies only to Splunk Web.
The existing web.conf mgmtHostPort
setting has been extended to allow it to take IPv6 addresses if they are enclosed in square brackets. Therefore, if you configure splunkd to only listen on IPv6 (via the setting in server.conf
described above), you must change this from 127.0.0.1:8089
to [::1]:8089
.
The Splunk CLI and IPv6
The Splunk CLI can communicate to splunkd over IPv6. This works if you have set mgmtHostPort
in web.conf
, defined the $SPLUNK_URI
environment variable, or use the -uri
command line option. When using the -uri
option, be sure to enclose IPv6 IP address in brackets and the entire address and port in quotes, for example: -uri "[2001:db8::1]:80"
.
IPv6 and SSO
If you are using IPv6 with SSO, you do not use the square bracket notation for the trustedIP
property, as shown in the example below. This applies to both web.conf
and server.conf
.
In the following web.conf
example, the mgmtHostPort
attribute uses the square bracket notation, but the trustedIP
attribute does not:
[settings] mgmtHostPort = [::1]:8089 startwebserver = 1 listenOnIPv6=yes trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129 SSOMode = strict remoteUser = X-Remote-User tools.proxy.on = true
For more information on SSO, see "Configure Single Sign-on" in the Securing Splunk Enterprise manual.
Bind Splunk to an IP | Secure your configuration |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Feedback submitted, thanks!