Configure Splunk Enterprise for IPv6
Implementing IPv6 support for Splunk Enterprise requires familiarity with configuration files, the ports used by Splunk software, and data input configurations.
IPv6 platform support
Splunk Enterprise IPv6 support depends on the operating system that the Splunk software or a Universal Forwarder is installed on. For a table of supported OS platforms, see Supported Operating Systems in the Installation Manual.
Unsupported operating systems
IPv6 support is unavailable on the AIX operating system.
Splunk Enterprise and IPv6 functionality
The IPv6 configuration in Splunk Enterprise is disabled by default. Before enabling IPv6 support, determine what functionality you want to access with an IPv6 address.
Functionality | Details |
---|---|
Allow the Splunk Enterprise software to listen on the Splunk management port and KVStore port over IPv6. | See Configure Splunk Enterprise to listen on an IPv6 network. |
Allow access to Splunk Web over IPv6. | See Configure Splunk Web to listen on IPv6. |
Configure a single IPv6 listener for inbound network traffic. | See Configure an IPv6 listener on one network input. |
Use a Splunk CLI command to access Splunk Enterprise over IPv6. | See Use the Splunk CLI over IPv6. |
Configure a Splunk Forwarder to send data to Splunk Enterprise over IPv6. | See Forwarding data over IPv6. |
Configure Splunk Enterprise distributed search for outbound communication over IPv6. | See Distributed search configuration for IPv6. |
Configure IPv6 support with single sign-on. | See IPv6 support with single sign-on (SSO). |
Change how Splunk Enterprise prioritizes IPv4 and IPv6 communication behavior. | See Change the prioritization of IPv4 and IPv6 communications. |
Configure Splunk Enterprise to listen on an IPv6 network
Use the steps below to configure Splunk Enterprise to listen on the Splunk management port and KVStore port over IPv6.
- Using a shell prompt, go to the folder
$SPLUNK_HOME/etc/system/local
. - Edit the server.conf file.
- Under the
[general]
stanza, add the linelistenOnIPv6 = yes
. - Save the changes.
- Restart the Splunk Enterprise instance.
- Verify that the service is listening on the appropriate port using
netstat
or a similar utility. - (Optional) Change the prioritization of IPv4 and IPv6 communications. See Change the prioritization of IPv4 and IPv6 communications.
After IPv6 is enabled on the Splunk management port, any ports previously defined in the inputs.conf will also listen on IPv6.
Configure Splunk Web to listen on IPv6
Use the steps below to configure Splunk Web to accept communications over IPv6.
- Using a shell prompt, go to the folder
$SPLUNK_HOME/etc/system/local
. - Edit the web.conf file.
- Under the
[settings]
stanza, add the linelistenOnIPv6 = yes
. - Save the changes.
- Restart the Splunk Enterprise instance.
- Verify that the service is listening on the appropriate port using
netstat
or a similar utility. - Use a web browser to connect to Splunk Web. For example, http://[2620:70:8000:c205::129]:8000.
Change the prioritization of IPv4 and IPv6 communications
After you configure Splunk Enterprise to support IPv6, the services will listen on both IPv4 and IPv6 ports for communication.
To prioritize or limit ports to one IP protocol, review and change the connectUsingIpVersion
setting in server.conf.
If you configure both Splunk Enterprise and Splunk Web to listen only on IPv6, you must change the web.conf setting mgmtHostPort
from 127.0.0.1:8089
to [::1]:8089
.
Configure an IPv6 listener on one network input
The inputs.conf stanzas [tcp], [udp], [tcp-ssl], [splunktcp], [splunktcp-ssl]
will all accept the listenOnIPv6
setting. The listenOnIPv6
setting for a specific input takes precedence over the configuration applied in server.conf
.
To enable IPv6 on a single input, add the setting listenOnIPv6 = yes
to the input stanza defined in an inputs.conf file.
- Using a shell prompt, go to the folder
$SPLUNK_HOME/bin
. - Use the
btool
command to identify the location of the inputs.conf you want to modify. For example, to find a splunktcp stanza type:./splunk btool inputs list --debug | grep splunktcp - Go to the location of the inputs.conf file found with
btool
. - Edit the inputs.conf file.
- Under the input stanza add the line:
listenOnIPv6 = yes
. - Save the changes.
- Restart the Splunk Enterprise instance.
- Verify that the service is listening on the appropriate port using
netstat
or a similar utility.
Use the Splunk CLI over IPv6
You can use the Splunk CLI to communicate to a Splunk Enterprise instance over IPv6. The remote instance must be configured to listen for IPv6 on the Splunk management port. See Configure Splunk Enterprise to listen on an IPv6 network.
To access Splunk Enterprise from the CLI, use the -uri
command with an IPv6 address, for example, ./splunk display app -uri "https://[2620:70:8000:c205::129]:8089"
You can pre define the destination address, use the $SPLUNK_URI
environment variable in your shell prompt. See Change your default URI value.
For more CLI commands, see Get help with the CLI.
If you use link-local addressing on IPv6 (seen as an IPv6 address beginning with fe80:
), some of the CLI commands can fail. This failure is due to the OS-level implementation of IPv6 with link-local addresses, and not Splunk software.
Forwarding data over IPv6
To enable a forwarder to send data to another Splunk Enterprise instance over IPv6, edit the outputs.conf and update the server =
parameter with an IPv6 address formatted as [host]:port
, for example, server = [2002:4721:93f0::e956]:9997
. The outputs.conf stanzas [tcpout], [tcpout-server], [syslog]
accepts IPv6 addresses.
Distributed search configuration for IPv6
The servers
setting in distsearch.conf can include IPv6 addresses in the standard [host]:port
format. The remote instance must be configured to listen for IPv6 on the Splunk management port. See Configure Splunk Enterprise to listen on an IPv6 network.
IPv6 support with single sign-on
If you use IPv6 with single sign-on (SSO), don't use the square bracket notation for any IPv6 address referenced in the trustedIP
setting, as shown in the following example. The square bracket notation exception applies when setting trustedIP
in web.conf or server.conf.
[settings] mgmtHostPort = [::1]:8089 startwebserver = 1 listenOnIPv6=yes trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129 SSOMode = strict remoteUser = X-Remote-User tools.proxy.on = true
For more information on SSO, see Configure Single Sign-on in the Securing Splunk Enterprise manual.
Bind Splunk to an IP | Secure your configuration |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!