Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Some best practices for your servers and operating system

The most secure Splunk platform instance or deployment is one in which all of the computers that support the deployment are also secured, with up-to-date software patches, network configurations that limit access, and user accounts that have permissions that are limited in scope.

Operating System

To maximize security, harden the operating system on all computers where you run Splunk software.

  • If your organization does not have internal hardening standards, consult the CIS hardening benchmarks.
  • As a minimum, limit shell or command line access to your Splunk platform instances.

Splunk platform

  • Configure redundant Splunk platform instances, both indexing a copy of the same data.
  • Backup Splunk data and configurations regularly.
  • Execute a periodic recovery test by attempting to restore Splunk Enterprise from backup.
  • Verify your Splunk download using a hash function such as Message Digest 5 (MD5) to compare the hashes.

Client browser

  • Use a current version of a supported browser, such as Firefox or Chrome. Don't use older browsers as they are more susceptible to insertion attacks by malicious parties.
  • Use a client-side JavaScript blocker such as noscript.
  • Where possible, use filters to help protect against XSS, XSRF, and similar exploits.

Physical security

  • Where possible, secure physical access to all Splunk platform instances.
  • Ensure that Splunk end users practice sound physical and endpoint security.
    • Set a short time-out for Splunk Web user sessions. See Configure timeouts for more information.
    • In organizations where users don't use Splunk Web, disable Splunk Web entirely on instances that don't need it.

More opportunities to secure your configuration

  • Use Splunk Enterprise to track changes to configuration files at the filesystem level. The auditing capability includes the tracking of .conf files, as well as their underlying stanzas and setting-value pairs, to improve root cause analysis and auditing. See Configuration file auditing in the Troubleshooting Manual
  • Use a configuration management tool to provide version control for Splunk configurations.
  • Integrate Splunk configuration changes into your existing change management framework.
Last modified on 16 June, 2022
SPL safeguards for risky commands   Troubleshoot Splunk forwarder TCP tokens

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters