Use network access control lists to protect your deployment
You can limit network access to your Splunk Enterprise deployment by using access control lists in configuration files to restrict incoming network traffic to deployment components such as indexers and search heads.
Splunk Cloud Platform has security safeguards in place that limit access to nearly all components except for Splunk Web from external networks. You can also configure which addresses on your network have access to components of Splunk Cloud Platorm using the Splunk Cloud Platform Admin Config Service (ACS) API.
Configure network access control lists (ACLs) in Splunk Cloud Platform
To learn about how to use the Splunk Cloud Platform ACS API to limit network access to your Splunk Cloud Platform instance, see Configure IP allow lists for Splunk Cloud Platform.
Configure network ACLs in Splunk Enterprise
To configure ACLs to protect a Splunk Enterprise deployment, you use the
inputs.conf configuration files to specify the network IP addresses that the deployment can accept or reject for various communications.
When you configure an ACL, you supply one or more IP addresses to determine what the instance is to accept or reject. You separate multiple addresses with either commas or spaces. You can provide the addresses in the following formats:
- A single IPv4 or IPv6 address. For example:
- A Classless Inter-Domain Routing (CIDR) block of addresses. For example:
- A DNS name, possibly with an * used as a wildcard, for example:
- A single
*which matches anything (this is the default value).
To add addresses that you wish to include, you add the addresses in one of the formats described below. To exclude an address you prefix the address with
!, the exclamation point.
The Splunk deployment applies the rules in order, and uses the first one that matches. For example,
!10.1/16, * lets connections in from everywhere except the 10.1.*.* network.
Where to configure network ACLs in Splunk Enterprise
You can secure IP addresses for the following connections by editing the
[Accept from] value:
- To instruct a node to only accept replicated data from other nodes with specific IPs, edit the
httpServerstanza in the
If you set this setting, you must confirm that you include the IP addresses of all other peers in the cluster. For more information about clusters, see "About clusters and index replication" For more information about editing the server.conf file, see server.conf.
- To restrict TCP communications to specific IP addresses, edit the
tcpstanza in the
inputs.conffile. Be careful, as changes in this file overwrite the output values in the
server.conffile if there are conflicts.
- To restrict TCP communications that use Secure Sockets Layer (SSL) to specific IP addresses, edit the
tcp-sslstanza in the
- To configure your indexer to accept data only from forwarders with specific IP addresses, edit the
splunktcpstanza in the
inputs.conffile on the indexer where you want to restrict the access. This prevents outside actors from setting up a machine to act like a forwarder and possibly corrupting your data.
- If you secure your forwarder-to-indexer communications with SSL, edit the
splunktcp-sslstanza in the
inputs.conffile on the indexer to instruct it to only accept data from forwarders with specific IP addresses.
- To restrict User Datagram Protocol (UDP) communications to specific IP addresses, edit the
UDPstanza in the
For more information about editing the
inputs.conf, see the specification file for inputs.conf.
Best practices for hardening Splunk Enterprise servers and the operating systems they use
Use access control to secure Splunk data
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5
Feedback submitted, thanks!