Splunk® Enterprise

Securing Splunk Enterprise

Disable unnecessary Splunk Enterprise components

You can disable certain components of Splunk Enterprise to reduce potential attack surfaces in your deployment if you don't need to use them.

Disable unnecessary Splunk Enterprise components in single-server Splunk Enterprise deployments

  • Where possible, do not run Splunk Web on forwarders of any kind.
  • Where possible, disable any configuration that lets forwarders receive data on Transmission Control Protocol (TCP) or user datagram protocol (UDP) network ports or from other Splunk Enterprise instances.

Disable unnecessary Splunk Enterprise components in multiserver Splunk Enterprise deployments

  • Where possible, disable any configuration that lets Search heads receive data on TCP or UDP network ports or from other Splunk Enterprise instances
  • If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers.

Disable Splunk Web

The fastest way to turn off Splunk Web on an instance that is capable of running it is to use Splunk Web.

  1. From the system bar, choose Settings > Server settings.
  2. Select General settings.
  3. In the Splunk Web section, in the Run Splunk Web radio button, select No.
  4. Select Save.
  5. Restart the Splunk Enterprise instance.

You can also deactivate Splunk Web by editing the web.conf configuration file and giving the startwebserver a value of 0 or false. You must have administrative access to the machine where you want to disable Splunk Web, and familiarity with command line tools.

  1. On the Splunk Enterprise instance where you want to deactivate Splunk Web, open a shell prompt or terminal window.
  2. From this prompt, go to the $SPLUNK_HOME/etc/system/local directory.
  3. Open the web.conf configuration file for editing. You might need to create this file.
  4. Add the following line to the [settings] stanza within the web.conf file
    startwebserver = 0
  5. Save the web.conf file and close it.
  6. Restart the Splunk Enterprise instance.
Last modified on 20 December, 2023
Secure Splunk Enterprise on your network   Secure Splunk Enterprise service accounts

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters