Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Best practices for hardening Splunk Enterprise servers and the operating systems they use

Following are some best practices that can help you ensure that your Splunk Enterprise systems have the highest level of security at all levels.

Operating System

To maximize security, harden the operating system on all computers where you run Splunk Enterprise.

  • If your organization does not have internal hardening standards, see the CIS hardening benchmarks.
  • At a minimum, limit access to shell and command prompts on any machine that runs Splunk components.

Splunk software

  • Configure redundant Splunk Enterprise instances, with each performing indexing duties on the same data.
  • Perform regular backups of all your Splunk Enterprise configurations and index data.
  • Develop and execute a disaster recovery plan, where possible. The plan should include the ability to periodically recover your Splunk Enterprise environment from a backup.
  • When you install or upgrade Splunk Enterprise, verify that the Splunk download is authentic by using a hash function such as Message Digest 5 (MD5) to compare the hashes of the download file with what Splunk provides. For example:

./openssl dgst md5 <filename-splunk-downloaded.zip>

Client browser

Physical security

  • Ensure only authorized personnel have physical access to the machines that run Splunk Enterprise. If possible, lock servers in a data center or well-ventilated server room with limited access.
  • Ensure that the users who access the Splunk Enterprise instance practice sound physical and endpoint security.
    • Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.

More opportunities to secure your configuration

  • To ensure that your can retain configuration changes in your Splunk Enterprise deployment, use a configuration management tool, such as git, to provide version control for Splunk configurations.
  • Integrate Splunk Enterprise configuration changes into your existing change management framework.
  • Configure Splunk Enterprise to monitor its own configuration files and provide alerts on changes.
Last modified on 12 October, 2021
PREVIOUS
Harden the network port that App Key Value Store uses
  NEXT
Use access control to secure Splunk data

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters