Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Secure Splunk Web communications

Splunk Web has a number of functions, and one of the primary ones is to transmit search requests and results between Splunk Enterprise and your computer through its browser. This communication could potentially be exploited by malicious actors that use packet-sniffing technology and other tools.

If your Splunk configuration is a distributed environment where customers access Splunk Web from browsers from various locations, implement stronger security measures by using signed certificates.

Use signed certificates to secure Splunk Web communications

There are several ways you can use signed certificates to improve security for your browser to Splunk Web communications:

  • For secured encryption with authentication, you can replace the default certificate with a signed certificate.
    You replace the default certificate that Splunk provides with one that you request from a trusted Certificate Authority (CA). This is the most secure option.
    For more information about obtaining CA certificates for Splunk deployments, see How to obtain certificates from a third-party for Splunk Web.

    You can also use self-signed certificates to secure authentication, however, because you signed them rather than a known and trusted Certificate Authority, browsers will not list you as a CA in their certificate store, and as a result will not trust you or your certificates. For self-signed certificates to be effective, you would need to add your certificate to the certificate store of every browser that will access Splunk Web.

    For more information about creating self-signed certificates for Splunk deployments, see How to create and sign your own TLS certificates.
  • When you use a signed certificate, you can further strengthen your security configuration by turning on common name checking.
    Common name checking adds an extra layer of security by requiring that the X.509 common name that is provided in the certificates on each communicating instance are a match. You can enable common name checking when you set up your certificate and configure Splunk Enterprise to check for common names when it authenticates.

    For more information about configuring Splunk Enterprise to use certificates and learn more about common name checking, see Steps for securing your Splunk Enterprise deployment with TLS.

Turn on basic encryption for Splunk Web using default certificates

If your users access Splunk Web from local browsers behind the same firewall as Splunk Web, it might be acceptable to turn on simple encryption using the default certificates that Splunk ships with Splunk Enterprise. It is not as secure as either obtaining certificates from a third party or creating and signing certificates yourself.

Last modified on 05 March, 2024
Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect   Turn on HTTPS encryption for Splunk Web with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters