Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Create secure administrator credentials

When you install Splunk Enterprise, you must create a username and password for your administrator account. If you do not specify any arguments when you install the software, it prompts you to create a username and a password during the installation process.

If you do not create the password during installation, an unusable installation can occur. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting Splunk Enterprise and also do not provide an administrator password in user-seed.conf. In such a case, you must create the administrator credentials manually for the instance to be accessible.

If you upgrade from an older version of Splunk Enterprise, the installation uses the old administrator credentials.

Create admin credentials after starting Splunk Enterprise

If you installed Splunk Enterprise and did not create the administrator credentials, you can use one of the following methods to create the credentials.

Create admin credentials with user-seed.conf

This is currently the most secure method to create administrative credentials. Other methods can introduce security risks, mainly around access to command line history or process output.

  1. Edit the $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows:
    [user_info]
    USERNAME = admin
    PASSWORD = <your password>
    
  2. Restart Splunk Enterprise.

Create admin credentials using REST

Administrators with access to the machine file system can create a user and enter a password using the splunkd rest --noauth command.

This method is not secure because the password appears in plain text in the command line history unless you immediately delete the history after running the command.

You must restart Splunk Enterprise after using splunkd REST commands.

$ splunk cmd splunkd rest 
--noauth POST /services/authentication/users 
"name=admin&password=<your password>&roles=admin"

Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments

This method of creating the credentials is not secure because the password appears in the command line history, process output (ps aux), and other items. Splunk Enterprise does not prompt you to create an administrator username in these cases, and instead uses the default of admin.

  • Create a password when you start Splunk Enterprise with the --seed-passwd argument:
splunk start --accept-license 
--answer-yes --no-prompt --seed-passwd <your password>
  • Generate a random password and print the random password immediately:
splunk start --accept-license 
--answer-yes --no-prompt --gen-and-print-passwd

Create admin credentials for automated installations with the 'hash-passwd' CLI command

You can use this method in automated installations where you save and distribute user-seed.conf to other instances. In most cases, you place user-seed.conf in the $SPLUNK_HOME/etc/system/local directory on these instances.

This method is secure as long as you delete the command line history after completing the procedure.

  1. Create a hash from a plain-text password.
    splunk hash-passwd <plaintext password>
    
  2. Copy the hash and place it into the user-seed.conf file. For example:
    $ splunk hash-passwd <your password>
    $6$hf3syG/qxy6REoBp...
    

    You can then safely write the output of the hash-passwd command in user-seed.conf.

    For example:

    [user_info]
    USERNAME = admin
    HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
  3. To validate a password and make sure it conforms to the password complexity requirements, you can use the splunk validate-passwd CLI command. For example:
    splunk validate-passwd <your password>
    cat passwd.txt | splunk validate-passwd -
    $ splunk validate-passwd weakpas
    ERROR: Password did not meet complexity requirements. Password must contain at least:
       * 8 total printable ASCII character(s).
    

Reset a lost password

If you lose or forget the admin password, you can reset it. You must have the ability to write to the underlying password file ($SPLUNK_HOME/etc/passwd).

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

You must restart Splunk Enterprise after making this change.

Last modified on 25 February, 2021
PREVIOUS
Install Splunk Enterprise securely
  NEXT
About TLS encryption and cipher suites

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters