Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Best practices for hardening Splunk Enterprise servers and the operating systems they use

Following are some best practices that can help you ensure that your Splunk Enterprise systems have the highest level of security at all levels.

Operating System

To maximize security, harden the operating system on all computers where you run Splunk Enterprise.

  • If your organization does not have internal hardening standards, see the CIS hardening benchmarks.
  • At a minimum, limit access to shell and command prompts on any machine that runs Splunk components.

Splunk software

  • Configure redundant Splunk Enterprise instances, with each performing indexing duties on the same data.
  • Perform regular backups of all your Splunk Enterprise configurations and index data.
  • Develop and execute a disaster recovery plan, where possible. The plan should include the ability to periodically recover your Splunk Enterprise environment from a backup.
  • When you install or upgrade Splunk Enterprise, verify that the Splunk download is authentic by using a hash function such as Message Digest 5 (MD5) to compare the hashes of the download file with what Splunk provides. For example:

./openssl dgst md5 <filename-splunk-downloaded.zip>

Client browser

Physical security

  • Ensure only authorized personnel have physical access to the machines that run Splunk Enterprise. If possible, lock servers in a data center or well-ventilated server room with limited access.
  • Ensure that the users who access the Splunk Enterprise instance practice sound physical and endpoint security.
    • Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.

More opportunities to secure your configuration

  • To ensure that your can retain configuration changes in your Splunk Enterprise deployment, use a configuration management tool, such as git, to provide version control for Splunk configurations.
  • Integrate Splunk Enterprise configuration changes into your existing change management framework.
  • Configure Splunk Enterprise to monitor its own configuration files and provide alerts on changes.
Last modified on 12 October, 2021
Harden the network port that App Key Value Store uses   Use network access control lists to protect your deployment

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters