Configure Splunk for IPv6

This topic discusses Splunk's support for IPv6 and how to configure it. Before following the procedures in this topic, you may want to review:

• "About configuration files" in this manual to learn about how Splunk's configuration files work
• "Get data from TCP and UDP ports" in the Getting Data In manual
• "server.conf" in this manual to see the reference of options available in the server.conf configuration file
• "inputs.conf" in this manual to see the reference of options available in the inputs.conf configuration file

Starting in version 4.3, Splunk supports IPv6. Users can connect to Splunk Web, use the CLI, and forward data over IPv6 networks.

IPv6 platform support

All Splunk-supported OS platforms (as described in "Supported OSes" in the Installation Manual) are supported for use with IPv6 configurations except for the following:

• HPUX PA-RISC
• Solaris 8, and 9
• AIX

Configure Splunk to listen on an IPv6 network

You have a few options when configuring Splunk to listen over IPv6. You can configure Splunk to:

• connect to IPv6 addresses only and ignore all IPv4 results from DNS
• connect to both IPv4 and IPv6 addresses and
  • try the IPv6 address first
  • try the IPv4 address first
• connect to IPv4 addresses only and ignore all IPv6 results from DNS

To configure how Splunk listens on IPv6: Edit a copy of server.conf in $SPLUNK_HOME/etc/system/local to add the following:

listenOnIPv6=[yes|no|only]

• yes means that splunkd will listen for connections from both IPv6 and IPv4.
• no means that splunkd will listen on IPv4 only, this is the default setting.
• only means that Splunk will listen for incoming connections on IPv6 only.

connectUsingIpVersion=[4-first|6-first|4-only|6-only|auto]

• 4-first means splunkd will try to connect to the IPv4 address first and if that fails, try IPv6.
• 6-first is the reverse of 4-first. This is the policy most IPv6-enabled client apps like web browsers take, but can be less robust in the early stages of IPv6 deployment.
• 4-only means that splunkd will ignore any IPv6 results from DNS.
• 6-only means that splunkd will Ignore any IPv4 results from DNS.
• auto means that splunkd picks a reasonable policy based on the setting of listenOnIPv6. This is the default value.
  • If splunkd is listening only on IPv4, this behaves as though you specified 4-only.
  • If splunkd is listening only on IPv6, this behaves as though you specified 6-only.
  • If splunkd is listening on both, this behaves as though you specified 6-first.

Important: These settings only affect DNS lookups. For example, a setting of connectUsingIpVersion = 6-first will not prevent a stanza with an explicit IPv4 address (like "server=10.1.2.3:9001") from working.

If you have just a few inputs and don't want to enable IPv6 for your entire deployment

If you've just got a few data sources coming over IPv6 but don't want to enable it for your entire Splunk deployment, you can add the listenOnIPv6 setting described above to any [udp], [tcp], [tcp-ssl], [splunktcp], or [splunktcp-ssl] stanza in inputs.conf. This overrides the setting of the same name in server.conf for that particular input.

Forwarding data over IPv6

Your Splunk forwarders can forward over IPv6; the following are supported in outputs.conf:

• The server setting in [tcpout] stanzas can include IPv6 addresses in the standard [host]:port format.
• The [tcpout-server] stanza can take an IPv6 address in the standard [host]:port format.
• The server setting in [syslog] stanzas can include IPv6 addresses in the standard [host]:port format.

Distributed search configuration for IPv6

Your Splunk distributed search deployment can use IPv6; the following are supported in distsearch.conf:

• The servers setting can include IPv6 addresses in the standard [host]:port format
• However, heartbeatMcastAddr has not been updated to support IPv6 addresses; this setting is deprecated in Splunk 4.3 and will be removed from the product in a future release.

Access to Splunk Web over IPv6

If your network policy allows or requires IPv6 connections from web browsers, you can configure the splunkweb service to behave differently than splunkd. Starting in 4.3, web.conf supports a listenOnIPv6 setting. This setting behaves exactly like the one in server.conf described above, but applies only to Splunk Web.

The existing web.conf mgmtHostPort setting has been extended to allow it to take IPv6 addresses if they are enclosed in square brackets. Therefore, if you configure splunkd to only listen on IPv6 (via the setting in server.conf described above), you must change this from 127.0.0.1:8089 to [::1]:8089.

The Splunk CLI and IPv6

The Splunk CLI can communicate to splunkd over IPv6. This works if you have set mgmtHostPort in web.conf, defined the $SPLUNK_URI environment variable, or use the -uri command line option. When using the -uri option, be sure to enclose IPv6 IP address in brackets and the entire address and port in quotes, for example: -uri "[2001:db8::1]:80".

IPv6 and SSO

If you are using IPv6 with SSO, you do not use the square bracket notation for the trustedIP property, as shown in the example below. This applies to both web.conf and server.conf.

In the following web.conf example, the mgmtHostPort attribute uses the square bracket notation, but the trustedIP attribute does not:

[settings]
mgmtHostPort = [::1]:8089
startwebserver = 1
listenOnIPv6=yes
trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129
SSOMode = strict
remoteUser = X-Remote-User
tools.proxy.on = true 

For more information on SSO, see "Configure Single Sign-on" in the Securing Splunk Enterprise manual.