topic Re: Configure Splunk Forwarder only with admin account in Deployment Architecture

Configure Splunk Forwarder only with admin account

splunkTest13 — Fri, 02 Mar 2018 09:41:09 GMT

Hello,

I'm running Splunk free trial 7.0.1.
I need to create an user to configure my forwarder, but not with the admin account.
I try to understand if it's about roles or capacity. But when i create an user, and give it to him admin role, i can't configure my forwarder, login failed.

Another thing is that i already change a couple of time password of admin account. And when i configure my forwarder, old password work. Strange no ? I try to read configuration files, to see if old password were stored, but nothing.

Thanks in advance,

Re: Configure Splunk Forwarder only with admin account

gcusello — Fri, 02 Mar 2018 15:35:10 GMT

Hi splunkTest13,
just few additional information:

what's the operative system you're using?
are you speaking of an operative system user or a Splunk User?
what's the user you used for installation and Splunk processes running?

It's possible to install Forwarders using a non admin user, see:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ChoosetheuserSplunkshouldrunas

Bye.
Giuseppe

Re: Configure Splunk Forwarder only with admin account

splunkTest13 — Tue, 13 Mar 2018 10:18:21 GMT

Hi,

Sorry sorry ... I was really busy on another subject.

So, the operating system is RedHat Linux
I speak about a Splunk User who will had the same role of Splunk Admin for connecting remote forwarder to the instance of Splunk
I use actually the default administrator user --> admin:changeme

But I want to create, like admin, an user like user_forwarder so that when i configure my forwarder on the remote machine, i don't give to technician the credentials of administrator of Splunk.

Thanks a lot.

Regards,

Juliette

Re: Configure Splunk Forwarder only with admin account

gcusello — Tue, 13 Mar 2018 12:07:02 GMT

Hi Juliette,
are you speaking about a Splunk user on Forwarder, correct?

Forwarders are usually managed using a Deployment Server (see http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Configuredeploymentclients )
in few words on forwarder run the following commands
splunk set deploy-poll :
splunk restart
and then manage its configurations on your Splunk Enterprise (if you have an All-in-one installation and few forwarders), or on your Deployment Server (if you have many forwarders) deploying Technical Add-ons (see the below url).

Otherwise, if you're making a test or a PoC, you can manually configure forwarders using admin user: there are no reasons to use a different Splunk user (if possible: I never tried!).
Eventually, you could change the default admin password:

splunk edit user admin -password "new_password" -auth admin:current_password

Anyway you can have different passwords between Splunk Enterprise and Forwarders.

Bye.
Giuseppe

Re: Configure Splunk Forwarder only with admin account

splunkTest13 — Tue, 13 Mar 2018 14:44:42 GMT

Hi, thanks again for your answer.
Sorry, but just to be clear : Is that mandatory to use deployment server ?
Because currently, I have 3 forwarders on 3 remote machine. As you say, it was a PoC but it's become a pilote and for security reason the user allowing connection when I do :

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth admin:changeme

in my remote machine is my admin account.

If i create in Splunk web interface an user with the same role as admin (all the roles), and i try again on my remote server to add forwarder server :

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth juliette:juliette

Then login failed. While nothing is different between admin user and juliette user.

I'm not sure that i explain well my problem, maybe it's my english or maybe i don't understand something in splunk configurations.

Another time,

Thanks a lot.
Regards,
Juliette