Disable unnecessary Splunk Enterprise components
You can disable certain components of Splunk Enterprise to reduce potential attack surfaces in your deployment if you don't need to use them.
Disable unnecessary Splunk Enterprise components in single-server Splunk Enterprise deployments
- Where possible, do not run Splunk Web on forwarders of any kind.
- Where possible, disable any configuration that lets forwarders receive data on Transmission Control Protocol (TCP) or user datagram protocol (UDP) network ports or from other Splunk Enterprise instances.
Disable unnecessary Splunk Enterprise components in multiserver Splunk Enterprise deployments
- Where possible, disable any configuration that lets Search heads receive data on TCP or UDP network ports or from other Splunk Enterprise instances
- If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers.
Disable Splunk Web
The fastest way to turn off Splunk Web on an instance that is capable of running it is to use Splunk Web.
- From the system bar, choose Settings > Server settings.
- Select General settings.
- In the Splunk Web section, in the Run Splunk Web radio button, select No.
- Select Save.
- Restart the Splunk Enterprise instance.
You can also deactivate Splunk Web by editing the web.conf configuration file and giving the startwebserver
a value of 0 or false. You must have administrative access to the machine where you want to disable Splunk Web, and familiarity with command line tools.
- On the Splunk Enterprise instance where you want to deactivate Splunk Web, open a shell prompt or terminal window.
- From this prompt, go to the $SPLUNK_HOME/etc/system/local directory.
- Open the web.conf configuration file for editing. You might need to create this file.
- Add the following line to the
[settings]
stanza within the web.conf filestartwebserver = 0
- Save the web.conf file and close it.
- Restart the Splunk Enterprise instance.
Secure Splunk Enterprise on your network | Secure Splunk Enterprise service accounts |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!