Create secure administrator credentials
When you install Splunk Enterprise, you must create a username and password for the administrator account. Your Splunk Enterprise instance isn't accessible without this account.
When you install Splunk Enterprise, you have the option of creating this account. The Splunk Enterprise installer lets you specify arguments which let you create the credentials. If you do not specify these arguments when you run the installer, it prompts you to create a username and a password during the installation process.
If you upgrade from an older version of Splunk Enterprise, the installation uses the old administrator credentials.
Create administrator credentials after installing Splunk Enterprise
Splunk Enterprise installers cannot create administrator passwords on their own. You either need to provide it as part of running the installer, or supply the password in a configuration file that the installer can read during the installation process.
If you do not create the password during the installation process using one of these methods, it's possible to end up with a temporarily unusable instance. This can happen, for example, if you use the
--no-prompt Splunk CLI argument for starting a Splunk Enterprise installation and at the same time do not provide an administrator password in the
user-seed.conf configuration file inside the installation. In this case, the installer doesn't prompt you to create an administrator account, and since you did not specify a password, the installer succeeds in installing the software, but does not create the administrator credentials.
In this case, you must create the administrator credentials manually for the instance to be accessible again.
If you installed Splunk Enterprise and did not create the administrator credentials, you can use one of the following methods to create the credentials. All of these methods require physical access to the machine that runs the instance.
Create admin credentials with the user-seed.conf configuration file
This is currently the most secure method to create administrative credentials. Other methods can introduce security risks, mainly around access to command line history or process output.
- Edit the
$SPLUNK_HOME/etc/system/local/user-seed.conffile as follows:
[user_info] USERNAME = admin PASSWORD = <your password>
- Restart Splunk Enterprise.
Create administrator credentials using the REST API
Administrators with access to the machine file system can create a user and enter a password using the
splunkd rest --noauth command.
This method is not secure because the password appears in plain text in the command line history unless you immediately delete the history after you run the command.
You must restart Splunk Enterprise after using
splunkd REST commands.
$ splunk cmd splunkd rest --noauth POST /services/authentication/users "name=admin&password=<your password>&roles=admin"
Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments
This method of creating the credentials is not secure because the password appears in the command line history, process output (
ps aux), and other items. Splunk Enterprise does not prompt you to create an administrator username in these cases, and instead uses the default of
- Create a password when you start Splunk Enterprise with the
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>
- Generate a random password and print the random password immediately:
splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd
Create administrator credentials for automated installations with the 'hash-passwd' CLI command
You can use this method in automated installations where you save and distribute
user-seed.conf to other instances. In most cases, you place
user-seed.conf in the
$SPLUNK_HOME/etc/system/local directory on these instances.
This method is not secure because the password appears in plain text in the command line history unless you immediately delete the command line history after you complete the procedure.
- Create a hash from a plain-text password.
splunk hash-passwd <plaintext password>
- Copy the password hash that the command generates.
- Using a text editor, open the $SPLUNK_HOME/etc/system/local/user-seed.conf for editing.
- Place the password hash into the
user-seed.conffile. For example:
$ splunk hash-passwd <your password> $6$hf3syG/qxy6REoBp...
You can then safely write the output of the hash-passwd command in
[user_info] USERNAME = admin HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
- Save the file and close it.
- Restart the Splunk Enterprise instance.
Validate a password
To validate a password and make sure it conforms to the password complexity requirements, you can use the
splunk validate-passwd CLI command.
splunk validate-passwd <your password> cat passwd.txt | splunk validate-passwd - $ splunk validate-passwd weakpas ERROR: Password did not meet complexity requirements. Password must contain at least: * 8 total printable ASCII character(s).
Reset a lost administrator password
If you lose or forget the admin password, you can reset it. You must have the ability to write to the underlying password file (
splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"
You must restart Splunk Enterprise after making this change.
Install Splunk Enterprise securely
About TLS encryption and cipher suites
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2