topic Re: Login reset Spl in Security

Having trouble resetting a server enterprise password from linux?

yashilmohadawoo — Mon, 23 Jan 2023 19:14:38 GMT

Hey everyone, just wanted to get some help with regards to some issues i am facing with resetting a Server Enterprise Password from Linux, i tried making a change onto the server.conf , from the local directory, specifically ,

"/opt/splunk/etc/system/local" ..server.conf

Here is the current directory:

┌──(root㉿kali)-[/opt/splunk/etc/system/local]
└─# ls
deploymentclient.conf migration.conf README server.conf web.conf

{

[sslConfig]

sslPassword =

[general]

pass4SymmKey =

[lmpool:auto_generated_pool_download-trial]

description = auto_generated_pool_download-trial

peers = *

quota = MAX

stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]

description = auto_generated_pool_forwarder

peers = *

quota = MAX

stack_id = forwarder

[lmpool:auto_generated_pool_free]

description = auto_generated_pool_free

peers = *

quota = MAX

stack_id = free

}

From the above, i have also tried removing the SHA 256 algorithm Hash key under the, "pass4SymmKey =", as well as "sslPassword ="m but after restarting the server, these fields which i omitted, seem to be blank by now ..

As per some help, i was able to remove and also delete the, the server.conf, and prior to that i stopped the server with the following command ...

$ ./splunk stop

Then after, this i tried restarting the server with the following command , but the issue here it is not prompting me to create a new credentials, as per this page below :

┌──(root㉿kali)-[/opt/splunk/bin]

└─# ./splunk start
{

Splunk> All batbelt. No tights.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8080]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done

Checking kvstore port [8191]: open [223/1590]
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [instrumentation.usage.tlsBestPractices] in /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf, line 451: | append [| rest /services/configs/conf-pythonSslClientConfig | eval ssl
VerifyServerCert (value: if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as python_configuredApp values(sslVerifyServerCert) as python_sslVerifyServerCert by s
plunk_server | eval python_configuredSystem=if(python_configuredApp="system","true","false") | fields python_sslVerifyServerCert, splunk_server, python_configuredSystem]
| append [| rest /services/configs/conf-web/settings | eval mgmtHostPort=if(isnull(mgmtHostPort),"unset",mgmtHostPort), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as fwdrMgmtHostPort_configuredApp values(mgmtHostPor
t) as fwdr_mgmtHostPort by splunk_server | eval fwdrMgmtHostPort_configuredSystem=if(fwdrMgmtHostPort_configuredApp="system","true","false") | fields fwdrMgmtHostPort_sslVerifyServerCert, splunk_server, fwdrMgmtHostPort_configuredSystem
]
| append [| rest /services/configs/conf-server/sslConfig | eval cliVerifyServerName=if(isnull(cliVerifyServerName),"feature",cliVerifyServerName), splunk_server=sha256(splunk_server) | stats values(cliVerifyServerName) as servername_cli
VerifyServerName values(eai:acl.app) as servername_configuredApp by splunk_server | eval cli_configuredSystem=if(cli_configuredApp="system","true","false") | fields cli_sslVerifyServerCert, splunk_server, cli_configuredSystem]
| stats values(*) as * by splunk_server | eval date=now() | makejson output=data | eval _time=date, date=strftime(date,"%Y-%m-%d") | fields data date _time).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-9.0.3-dd0128b1f8cd-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Enter PEM pass phrase:
Done

}

Waiting for web server at http://127.0.0.1:webport to be available.................................................... Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://kali::webport

Can someone help me to change the password, concurrently, i have both "Splunk forwarder" installed on the both machine , Windows Host as well as the Linux Machine.. But i will like to ingest data from my Linux Machine , this happened recently until i forgot the Server Enterprise password under the VMNET 1, Linux Machine, ,192.168.0.0/24 :the {http://ocalhost,:web port }, Windows is working fine at the local address 127.0.0.1:webport ..

Thanks for all the help in advance ..

Re: Login reset Spl

SanjayReddy — Mon, 23 Jan 2023 04:42:04 GMT

Hi @yashilmohadawoo

as per my understanding , you want to reset your Splunk web login password, if yes, please follow below

rename the file /opt/splunk/etc/passwd to passwd_old
crete the new file user-seed.conf in /opt/splunk/etc/system/local/user-seed.conf
add following contents
[user_info]
USERNAME = admin
PASSWORD = <your cutstom password>

restart the splunk,

now you can able to login on Splunk UI

Re: Login reset Spl

yashilmohadawoo — Mon, 23 Jan 2023 08:14:19 GMT

Sir can you also help me with resetting my password, for the Splunk Server, enterprise through the 127.0.0.1, currently on my windows machine, i have been locked out, i can only log into the splunk instance cloud, but not the server enterprise on the localhost:80....Webport

At the same time i wanted to ask you if in case the server.conf , through the directory, /opt/splunk/etc//local/system .. if currently nothing on the ssl password as well as the passkey, would be an issue as when restarted ?

{

sslConfig]
sslPassword =
[general]
pass4SymmKey =
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free

}

I am not sure if that is correct as i have a long string process, with the algorithm type , can you help me to identify some of which if ever may be causing an issue.. It is outside of my comprehension why is there so many processes under Splunk on my linux ..

┌──(kali㉿kali)-[~]
└─$ ps -eF | grep splunk splunk 1117 1 0 91071 103088 0 00:17 ? 00:00:36 splunkd --under-systemd --systemd-delegate=yes -p 8089 _int
ernal_launch_under_systemd splunk 1313 1117 0 29684 5712 2 00:18 ? 00:00:00 [splunkd pid=1117] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] root 75854 1 0 18793 64132 2 02:38 ? 00:00:01 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py root 80622 1 8 85198 147372 1 02:47 ? 00:00:01 splunkd -p 8080 restart root 80623 80622 0 29684 19284 0 02:47 ? 00:00:00 [splunkd pid=80622] splunkd -p 8080 restart [process-runner]
root 80803 80623 2 20967 41140 0 02:47 ? 00:00:00 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --
storageEngine=wiredTiger --wiredTigerCacheSizeGB=0.256000 --port=8191 --timeStampFormat=iso8601-utc --oplogSize=200 --keyFile=/
opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --setParameter=oplogFetcherSteady
StateMaxFetcherRestarts=0 --replSet=EA7B7BD0-0109-429F-A25E-68B3C7528516 --bind_ip=0.0.0.0 --sslMode=requireSSL --sslAllowInval
idHostnames --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --tlsDisabledProtocols=noTLS1_0,noTLS1_1 --sslCipherConfig=ECDHE-EC
DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128
-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 --nounixsocket --noscripting
kali 80901 80726 0 1583 2076 2 02:47 pts/5 00:00:00 grep --color=auto splunk

Can you help me to eliminate any of these many processes, cause i see a lot of the pythonpath, initiating the instance_id_modular_input.py, is this normal ..?

Run the following command :

From the kali machine :

dir : "/opt/splunk/bin/"

$ ./splunk stop

$ ./splunk start

Here i am being asked the a PEM Passphrase, can this be anything ?

Re: Login reset Spl

yashilmohadawoo — Mon, 23 Jan 2023 08:23:48 GMT

Thanks a lot for your support.