Splunk® Enterprise

Inherit a Splunk Enterprise Deployment

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Review security configurations and certificates

After you identify how Splunk users log into your deployment and what they can see when they log in, the next option is to identify how Splunk Web and the instances on your deployment have been secured.

Splunk software ships with a set of default TLS certificates. The software generates and configures these certificates at startup and places them in the $SPLUNK_HOME/etc/auth/ directory on each Splunk Enterprise instance. The default certificates offer some level of protection but are not nearly as secure as certificates that you create or obtain from a third party. Where possible, replace these certificates with self- or third-party-signed certificates.

To understand the relationship of encryption between individual Splunk Enterprise instances using the default TLS certificates that come with the product, see Table of most common encrypted Splunk Platform instance communication scenarios in Securing Splunk Enterprise.

Verify TLS configurations

You can determine how Splunk Enterprise is using TLS to connect to individual instances with the following procedures

Verify TLS connections to Splunk Web

Use the following Splunk search command to verify your TLS connections in Splunk Web:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl

Verify TLS connections between Indexers and forwarders

On an indexer, view the splunkd.log log file and look for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000
02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3
02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL)
02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed
02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections

On a forwarder, look in the splunkd.log for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties
02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/aut/server.pem
02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997

Following is how a successful connection might appear in splunkd.log on an indexer:

02-06-2011 19:19:09.848 INFO TcpInputProc - Connection in cooked mode from 10.1.12.111
02-06-2011 19:19:09.854 INFO TcpInputProc - Valid signature found
02-06-2011 19:19:09.854 INFO TcpInputProc - Connection accepted from 10.1.12.111

Following is how a successful connection might appear in splunkd.log on a forwarder:

02-06-2011 19:19:09.927 INFO TcpOutputProc - attempting to connect to 10.1.12.112:9997...
02-06-2011 19:19:09.936 INFO TcpOutputProc - Connected to 10.1.12.112:9997

About securing distributed environments

Communication between search heads and peers uses public-key encryption.

At startup, Splunk software generates a private key and a public key on your Splunk Enterprise installation. When you configure distributed search on the search head, the search heads distribute those public keys to the peers and those keys are used to secure communication. This default configuration provides built-in encryption as well as data compression that improves performance. See Distribute the key files in the Distributed Search Manual.

Public-key encryption for securing distributed configurations. However, it is possible to configure SSL for a search head cluster by configuring each member of the search head cluster. You can determine if your deployment has each member of the search head cluster configured for SSL by checking the attribute requireClientCert in server.conf. See Secure your deployment server and clients using certificate authentication in Securing Splunk Enterprise.

Encryption with the splunk.secret key

The splunk.secret file contains a key that encrypts some of your authentication information in configuration files:

  • web.conf: SSL passwords on every instance
  • authentication.conf: LDAP passwords, if you have any
  • inputs.conf: SSL passwords, if you use splunktcp-ssl
  • outputs.conf: SSL passwords, if you use splunktcp-ssl
  • server.conf: pass4symmkey, if you have one

At initial startup, Splunk Enterprise creates the splunk.secret file in the $SPLUNK_HOME/etc/auth/ directory. Any passwords that you create in the previous list of configuration files appear encrypted in this file. If you manually add any unencrypted passwords, Splunk software overwrites those passwords into this file upon startup.

More information

See the following topics for more information on securing your Splunk Enterprise deployment.

For an introduction to using TLS to secure your Splunk Enterprise instances:

For information on how to secure Splunk Web:

For information on how to secure connections between Splunk platform instances and processes:

For information on how to secure connections between Splunk indexers and forwarders:

Last modified on 13 December, 2022
Identify Splunk users, roles, and authentication schemes   Learn about licensing

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters