Review security configurations and certificates
After you identify how Splunk users log into your deployment and what they can see when they log in, the next option is to identify how Splunk Web and the instances on your deployment have been secured.
Splunk software ships with a set of default TLS certificates. The software generates and configures these certificates at startup and places them in the $SPLUNK_HOME/etc/auth/
directory on each Splunk Enterprise instance. The default certificates offer some level of protection but are not nearly as secure as certificates that you create or obtain from a third party. Where possible, replace these certificates with self- or third-party-signed certificates.
To understand the relationship of encryption between individual Splunk Enterprise instances using the default TLS certificates that come with the product, see Table of most common encrypted Splunk Platform instance communication scenarios in Securing Splunk Enterprise.
Verify TLS configurations
You can determine how Splunk Enterprise is using TLS to connect to individual instances with the following procedures
Verify TLS connections to Splunk Web
Use the following Splunk search command to verify your TLS connections in Splunk Web:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl
Verify TLS connections between Indexers and forwarders
On an indexer, view the splunkd.log log file and look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000 02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3 02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL) 02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed 02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
On a forwarder, look in the splunkd.log for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties 02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/aut/server.pem 02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher= 02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997
Following is how a successful connection might appear in splunkd.log
on an indexer:
02-06-2011 19:19:09.848 INFO TcpInputProc - Connection in cooked mode from 10.1.12.111 02-06-2011 19:19:09.854 INFO TcpInputProc - Valid signature found 02-06-2011 19:19:09.854 INFO TcpInputProc - Connection accepted from 10.1.12.111
Following is how a successful connection might appear in splunkd.log
on a forwarder:
02-06-2011 19:19:09.927 INFO TcpOutputProc - attempting to connect to 10.1.12.112:9997... 02-06-2011 19:19:09.936 INFO TcpOutputProc - Connected to 10.1.12.112:9997
About securing distributed environments
Communication between search heads and peers uses public-key encryption.
At startup, Splunk software generates a private key and a public key on your Splunk Enterprise installation. When you configure distributed search on the search head, the search heads distribute those public keys to the peers and those keys are used to secure communication. This default configuration provides built-in encryption as well as data compression that improves performance. See Distribute the key files in the Distributed Search Manual.
Public-key encryption for securing distributed configurations. However, it is possible to configure SSL for a search head cluster by configuring each member of the search head cluster. You can determine if your deployment has each member of the search head cluster configured for SSL by checking the attribute requireClientCert
in server.conf
. See Secure your deployment server and clients using certificate authentication in Securing Splunk Enterprise.
Encryption with the splunk.secret key
The splunk.secret file contains a key that encrypts some of your authentication information in configuration files:
web.conf
: SSL passwords on every instanceauthentication.conf
: LDAP passwords, if you have anyinputs.conf
: SSL passwords, if you usesplunktcp-ssl
outputs.conf
: SSL passwords, if you usesplunktcp-ssl
server.conf
: pass4symmkey, if you have one
At initial startup, Splunk Enterprise creates the splunk.secret file in the $SPLUNK_HOME/etc/auth/
directory. Any passwords that you create in the previous list of configuration files appear encrypted in this file. If you manually add any unencrypted passwords, Splunk software overwrites those passwords into this file upon startup.
More information
See the following topics for more information on securing your Splunk Enterprise deployment.
For an introduction to using TLS to secure your Splunk Enterprise instances:
For information on how to secure Splunk Web:
For information on how to secure connections between Splunk platform instances and processes:
For information on how to secure connections between Splunk indexers and forwarders:
Identify Splunk users, roles, and authentication schemes | Learn about licensing |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!