Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure Splunk Enterprise for IPv6

Implementing IPv6 support for Splunk Enterprise requires familiarity with configuration files, the ports used by Splunk software, and data input configurations.

IPv6 platform support

Splunk Enterprise IPv6 support depends on the operating system that the Splunk software or a Universal Forwarder is installed on. For a table of supported OS platforms, see Supported Operating Systems in the Installation Manual.

Unsupported operating systems

IPv6 support is unavailable on the AIX operating system.

Splunk Enterprise and IPv6 functionality

The IPv6 configuration in Splunk Enterprise is disabled by default. Before enabling IPv6 support, determine what functionality you want to access with an IPv6 address.

Functionality Details
Allow the Splunk Enterprise software to listen on the Splunk management port and KVStore port over IPv6. See Configure Splunk Enterprise to listen on an IPv6 network.
Allow access to Splunk Web over IPv6. See Configure Splunk Web to listen on IPv6.
Configure a single IPv6 listener for inbound network traffic. See Configure an IPv6 listener on one network input.
Use a Splunk CLI command to access Splunk Enterprise over IPv6. See Use the Splunk CLI over IPv6.
Configure a Splunk Forwarder to send data to Splunk Enterprise over IPv6. See Forwarding data over IPv6.
Configure Splunk Enterprise distributed search for outbound communication over IPv6. See Distributed search configuration for IPv6.
Configure IPv6 support with single sign-on. See IPv6 support with single sign-on (SSO).
Change how Splunk Enterprise prioritizes IPv4 and IPv6 communication behavior. See Change the prioritization of IPv4 and IPv6 communications.

Configure Splunk Enterprise to listen on an IPv6 network

Use the steps below to configure Splunk Enterprise to listen on the Splunk management port and KVStore port over IPv6.

  1. Using a shell prompt, go to the folder $SPLUNK_HOME/etc/system/local.
  2. Edit the server.conf file.
  3. Under the[general] stanza, add the line listenOnIPv6 = yes.
  4. Save the changes.
  5. Restart the Splunk Enterprise instance.
  6. Verify that the service is listening on the appropriate port, for example:
    netstat -an | grep ipv6
  7. (Optional) Change the prioritization of IPv4 and IPv6 communications. See Change the prioritization of IPv4 and IPv6 communications.

After IPv6 is enabled on the Splunk management port, any ports previously defined in the inputs.conf will also listen on IPv6.

Configure Splunk Web to listen on IPv6

Use the steps below to configure Splunk Web to accept communications over IPv6.

  1. Using a shell prompt, go to the folder $SPLUNK_HOME/etc/system/local.
  2. Edit the web.conf file.
  3. Under the [settings] stanza, add the line listenOnIPv6 = yes.
  4. Save the changes.
  5. Restart the Splunk Enterprise instance.
  6. Verify that the service is listening on the appropriate port, for example:
    netstat -an | grep ipv6
  7. Use a web browser to connect to Splunk Web. For example, http://[2620:70:8000:c205::129]:8000.

Change the prioritization of IPv4 and IPv6 communications

After you configure Splunk Enterprise to support IPv6, the services will listen on both IPv4 and IPv6 ports for communication. To prioritize or limit ports to one IP protocol, review and change the connectUsingIpVersion setting in server.conf.

If you configure both Splunk Enterprise and Splunk Web to listen only on IPv6, you must change the web.conf setting mgmtHostPort from 127.0.0.1:8089 to [::1]:8089.

Configure an IPv6 listener on one network input

The inputs.conf stanzas [tcp], [udp], [tcp-ssl], [splunktcp], [splunktcp-ssl] will all accept the listenOnIPv6 setting. The listenOnIPv6 setting for a specific input takes precedence over the configuration applied in server.conf.

To enable IPv6 on a single input, add the setting listenOnIPv6 = yes to the input stanza defined in an inputs.conf file.

  1. Using a shell prompt, go to the folder $SPLUNK_HOME/bin.
  2. Use the btool command to identify the location of the inputs.conf you want to modify. For example, to find a splunktcp stanza type:
    ./splunk btool inputs list --debug | grep splunktcp
  3. Go to the location of the inputs.conf file found with btool.
  4. Edit the inputs.conf file.
  5. Under the input stanza add the line: listenOnIPv6 = yes.
  6. Save the changes.
  7. Restart the Splunk Enterprise instance.
  8. Verify that the service is listening on the appropriate port, for example:
    netstat -an | grep ipv6

Use the Splunk CLI over IPv6

You can use the Splunk CLI to communicate to a Splunk Enterprise instance over IPv6. The remote instance must be configured to listen for IPv6 on the Splunk management port. See Configure Splunk Enterprise to listen on an IPv6 network.

To access Splunk Enterprise from the CLI, use the -uri command with an IPv6 address, for example, ./splunk display app -uri "https://[2620:70:8000:c205::129]:8089"

You can pre define the destination address, use the $SPLUNK_URI environment variable in your shell prompt. See Change your default URI value. For more CLI commands, see Get help with the CLI.

If you use link-local addressing on IPv6 (seen as an IPv6 address beginning with fe80:), some of the CLI commands can fail. This failure is due to the OS-level implementation of IPv6 with link-local addresses, and not Splunk software.

Forwarding data over IPv6

To enable a forwarder to send data to another Splunk Enterprise instance over IPv6, edit the outputs.conf and update the server = parameter with an IPv6 address formatted as [host]:port, for example, server = [2002:4721:93f0::e956]:9997. The outputs.conf stanzas [tcpout], [tcpout-server], [syslog] accepts IPv6 addresses.

Distributed search configuration for IPv6

The servers setting in distsearch.conf can include IPv6 addresses in the standard [host]:port format. The remote instance must be configured to listen for IPv6 on the Splunk management port. See Configure Splunk Enterprise to listen on an IPv6 network.

IPv6 support with single sign-on

If you use IPv6 with single sign-on (SSO), don't use the square bracket notation for any IPv6 address referenced in the trustedIP setting, as shown in the following example. The square bracket notation exception applies when setting trustedIP in web.conf or server.conf.

[settings]
mgmtHostPort = [::1]:8089
startwebserver = 1
listenOnIPv6=yes
trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129
SSOMode = strict
remoteUser = X-Remote-User
tools.proxy.on = true 

For more information on SSO, see Configure Single Sign-on in the Securing Splunk Enterprise manual.

Last modified on 17 January, 2020
PREVIOUS
Bind Splunk to an IP
  NEXT
Secure your configuration

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters