Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Deploy secure passwords across multiple servers

When you Install Splunk Enterprise, it creates a file called splunk.secret in the $SPLUNK_HOME/etc/auth directory. This file contains a key that Splunk Enterprise uses to encrypt some of your authentication information in its configuration files.

The following files can have authentication information encrypted within them. Passwords and encryption methods that each file uses are not necessarily interchangeable.

Configuration file Purpose What can be encrypted
authentication.conf Authentication Any Lightweight directory access protocol (LDAP) passwords (bindDNPassword, attributeQuerySoapPassword settings.)
inputs.conf Splunk platform data inputs TLS/SSL passwords (sslPassword setting) for splunktcp-ssl inputs, for data distribution
outputs.conf Splunk platform data forwarding configurations TLS/SSL passwords (sslPassword setting) for when you need to configure splunktcp-ssl outputs for receiving data from TLS inputs that you configure in the inputs.conf file
passwords.conf Credential information for apps Passwords for a specific app ( password setting).
server.conf Splunk Enterprise server configurations Any pass4Symmkeys that you use to secure connections between Splunk Enterprise components. For more information on this setting, see Secure Splunk Enterprise services with pass4SymmKey.
web.conf Splunk Web and associated services TLS/SSL passwords (sslPassword setting) for each instance.

When Splunk Enterprise starts, it checks all its configuration files for clear-text passwords. If it detects a clear-text password for one of the previously-specified settings, it creates or overwrites the value for that setting with the encrypted password value.

In a search head cluster, the search head cluster captain replicates its splunk.secret file to all other cluster members during initial deployment of the cluster. You do not need to copy the file manually. As part of its normal operation, the cluster also automatically replicates any credentials that are stored by apps for their own use.

If you specify a password value for either the pass4SymmKey or sslPassword settings in clear text within the default directory of an app, Splunk Enterprise obfuscates the values in the local configuration directory for the app when you restart it. The value for the setting still appears in clear text within the app default configuration directory. If you display the contents of the file using REST, the password prints in encrypted format.

to secure values for password-related settings as you distribute them. 

Perform these steps when you set up your Splunk Enterprise instance initially and at any time you need to deploy a new password for the instance:

  1. Using the encryption tool, distribute the password values to all servers.
  2. On each server, place the password, in clear text, in the relevant configuration file.
  3. Immediately start/restart to encrypt all the passwords under the server's unique secret.

-->

Last modified on 29 November, 2023
PREVIOUS
Secure Splunk Enterprise service accounts
  NEXT
Harden the network port that App Key Value Store uses

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters