Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Obfuscate passwords

Splunk administrators do not have direct administrative access to VMware environment systems such as vCenter Server and ESX/i hosts. As the VMware administrator you must provide access to your VMware environment to the Splunk administrator who needs to monitor the environment using Splunk for VMware. You can now obfuscate passwords instead of storing them in clear text in the engine.conf file. You can now create a credentials.conf file to hold the obfuscated passwords so that you can remove them from your engine.conf file(s).

As a VMware administrator you can generate a credentials file and give it to the Splunk Solutions administrators. This enables the Splunk Solutions administrator to install and configure Splunk for VMware without having to know the underlying passwords. For detailed information about how password obfuscation is implemented in Splunk for VMware, see "Password obfuscation" in this manual.

Who can use what

As the splunkadmin user you can use credentials.pl (located in $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/bin in the Splunk FA VM). credentials.plis already in your path and you can run it from any directory location. This option is used mostly by Splunk Solutions administrators who are also the VMware administrators.

As the VMware administrator you can:

  1. Run credentials.pl on an existing credentials.conf file: 
    credentials.pl -f <your_credentials.conf_file>
    or
  2. Run credentials.pl in interactive mode where it prompts you for the user ids and passwords, paste in a clear text conf file (characters are not echoed to the screen), and press CTRL-D: 
    credentials.pl -i
    .

After running the tool, a "credentials.conf" file is written out to the same directory where the tool was run. This credentials.conf file is a recreation of the original file but with that passwords encrypted.

This option is more suited when the Splunk administrator is not a VMware administrator. As the VMware administrator, you run the tool interactively to generate the credentials file and then you give the credentials file to the Splunk Solutions administrator.

How to obfuscate passwords

Follow the instructions in this topic to create a credentials.conf file containing encrypted passwords.

Run credentials.pl

As a Splunk Solutions administrator, you need a working engine.conf file with the usernames and passwords already in it.

To run credentials.pl:

  1. Log into the FA VM as the splunkadmin user.
  2. Change directories into the location where your engine.conf files reside:
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
  3. Run the tool:
    credentials.pl -f <your_engine.conf_file> -c
    Replace <your_engine.conf_file> with the filename of the engine.conf file from which you want to generate credentials.
    Note that usually just the engine.conf file name is used by itself (not full path) as the tool is run in Splunk_TA_vmware/local where your engine.conf file resides.
  4. Edit the engine.conf file to remove the clear text passwords that existed previously. Remove all of the username and password setting lines from every stanza in the file.

Things to note

When you run credentials.pl

  • credentials.conf is created by default in the same directory where you ran the tool (typically Splunk_TA_vmware/local).
  • It does not modify your engine.conf file. It leaves your configuration intact.
  • It reads the specified engine.conf file, generates host key-value pairs, and writes out a working credentials.conf file containing stanzas (all single entry or default) with the encrypted passwords.
  • Username and password settings in engine.conf take precedence over settings in credentials.conf. If you don't want a precedence issue, remove them from your engine.conf file. If the credentials are incorrectly specified in engine.conf your engine will not work!


Run credentials.pl in interactive mode

As a VMware administrator, you must first create a clear-text credentials.conf file that contains stanzas with host entries, usernames, and clear-text passwords. Store this file outside of the FA VM.

This example assumes the credentials.conf file is created on a different machine and can be copied or pasted into the interactive session. 

[default] 
host= 
username=guest 
password=guest

[host] 
host=esx1234.mycompany.com 
username=foo 
password=bar

[host2] 
host=1.2.3.4 
username=baz 
password=biz

To run credentials.pl:

  1. Log into the FA VM as the splunkadmin user.
  2. Change directories into the location where you want the credentiials.conf file to reside:
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
  3. Run the tool using the following command:
    credentiials.pl -i
  4. Copy your clear-text credentials.conf file and paste it into the interactive session window, and then hit CTRL-D.
  5. credentials.pl runs and outputs a credentials.conf file that contains encrypted passwords.
  6. Remove older clear text passwords from your engine.conf file. Remove all of the username and password setting lines from every stanza in the file.

Things to note for interactive mode

When you run credentials.pl

  • Stanza names do not have to be unique, but we recommend it for clarity. The stanza names will be made unique as the stanzas are processed.
  • The three fields, host, username, and password are required fields.

Example credentials.conf file

This is an example of the obfuscated file generated by credentials.pl for the source sample shown earlier: 

$> cat credentials.conf 
[host2] 
host=1.2.3.4 
username=baz 
password={RC4}Wk0K

[default] 
host= 
username=guest 
password={RC4}HBDg/1w=

[host] 
host=esx1234.mycompany.com 
username=foo 
password={RC4}ucYZ

Make credentials.conf available to the Engine

To use the credentials file you generated, the engine, Engine.pm, needs to know the name and location of the file. You must save the credentials.conf file in the default location: $SPLUNKHOME$/etc/apps/Splunk_TA_vmware/local.

Note: If you rename the file or change the location of the file you must edit the inputs.conf file in the $SPLUNKHOME$/etc/apps/Splunk_TA_vmware/local directory to tell the engine where to look for it.

Change settings in a credentials.conf file

As part of ongoing solution administration, you can change the settings in the credentials.conf file.

If you modify the file you must:

  1. Re-run credentials.pl and re-generate the file based on the updated engine.conf files.
  2. Change the credentials.conf file itself and then re-run credentials.pl on the existing file.

The instructions for option 2 are provided in the sections below.

Add an entry

Note: Performing these steps will OVERWRITE your current credentials.conf file.

  1. Open the existing credentials.conf file with an editor.
  2. Add the stanza as clear text .
  3. Save the file.
  4. Run: credentials.pl -f credentials.conf

Delete an entry

  1. Open the existing credentials.conf file with an editor.
  2. Delete the stanza containing the entry.
  3. Save the file.

Update an entry

Note: Performing these steps will OVERWRITE your current credentials.conf file.

  1. Open the existing credentials.conf file with an editor.
  2. Edit the file to make the changes.
  3. Replace the password with a clear-text version of the password. Be sure you delete the {RC4}\0 at the beginning and the \0 at the end.
  4. Save the file.
  5. Run: credentials.pl -f credentials.conf
Last modified on 17 September, 2012
Configure engine.conf   Launch Splunk Web

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters