
Use network access control lists to protect your deployment
You can limit network access to your Splunk Enterprise deployment by using access control lists in configuration files to restrict incoming network traffic to deployment components such as indexers and search heads.
Splunk Cloud Platform has security safeguards in place that limit access to nearly all components except for Splunk Web from external networks. You can also configure which addresses on your network have access to components of Splunk Cloud Platorm using the Splunk Cloud Platform Admin Config Service (ACS) API.
Configure network access control lists (ACLs) in Splunk Cloud Platform
To learn about how to use the Splunk Cloud Platform ACS API to limit network access to your Splunk Cloud Platform instance, see Configure IP allow lists for Splunk Cloud Platform.
Configure network ACLs in Splunk Enterprise
To configure ACLs to protect a Splunk Enterprise deployment, you use the server.conf
and inputs.conf
configuration files to specify the network IP addresses that the deployment can accept or reject for various communications.
When you configure an ACL, you supply one or more IP addresses to determine what the instance is to accept or reject. You separate multiple addresses with either commas or spaces. You can provide the addresses in the following formats:
- A single IPv4 or IPv6 address. For example:
10.1.2.3, fe80::4a3
. - A Classless Inter-Domain Routing (CIDR) block of addresses. For example:
10/8, fe80:1234/32
. - A DNS name, possibly with an * used as a wildcard, for example:
myhost.example.com, *.splunk.com
. - A single
*
which matches anything (this is the default value).
To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with !
, the exclamation point.
The Splunk deployment applies the rules in order, and uses the first one that matches. For example, !10.1/16, *
lets connections in from everywhere except the 10.1.*.* network.
Where to configure network ACLs in Splunk Enterprise
You can secure IP addresses for the following connections by editing the [Accept from]
value:
- To instruct a node to only accept replicated data from other nodes with specific IPs, edit the
httpServer
stanza in theserver.conf
configuration file.
If you set this setting, you must confirm that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing the server.conf file, see server.conf.
- To restrict TCP communications to specific IP addresses, edit the
tcp
stanza in theinputs.conf
file. Be careful, as changes in this file overwrite the output values in theserver.conf
file if there are conflicts.
- To restrict TCP communications that use Secure Sockets Layer (SSL) to specific IP addresses, edit the
tcp-ssl
stanza in theinputs.conf
file.
- To configure your indexer to accept data only from forwarders with specific IP addresses, edit the
splunktcp
stanza in theinputs.conf
file on the indexer where you want to restrict the access. This prevents outside actors from setting up a machine to act like a forwarder and possibly corrupting your data.
- If you secure your forwarder-to-indexer communications with SSL, edit the
splunktcp-ssl
stanza in theinputs.conf
file on the indexer to instruct it to only accept data from forwarders with specific IP addresses.
- To restrict User Datagram Protocol (UDP) communications to specific IP addresses, edit the
UDP
stanza in theinputs.conf
file.
For more information about editing the inputs.conf
, see the specification file for inputs.conf.
PREVIOUS Secure access for Splunk knowledge objects |
NEXT Set up native Splunk authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2
Feedback submitted, thanks!