I'm trying to update Splunk_TA_NIX from Version: 5.2.1 to version 5.2.3, but the admin/passwd doesn't seem to be working. The admin passwd has been changed since the app was originally installed and I currently don't have access to the old passwd. I've tried the current admin:psswd, my splunk acct. credentials, and the default admin:changeme "no dice". I was wondering if you need the original password, and if so, is there a way to force the Splunk app to use a new admin password if changed (if possible)? Thanks
I'm also assuming the admin:passwd its looking for is same one we use to log in to Splunk Enterprise.
Answer by @Lionel:
To reset the admin password you will need to have access to the file system: - move the $SPLUNK_HOME/etc/passwd file to passwd.bak - restart splunk. After the restart you should be able to login using the default login (admin/changeme).
If you created other user accounts, copy those entries from the backup file into the new passwd file and restart splunk.
It is already answered:
https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html
Answer by @Lionel:
To reset the admin password you will need to have access to the file system: - move the $SPLUNK_HOME/etc/passwd file to passwd.bak - restart splunk. After the restart you should be able to login using the default login (admin/changeme).
If you created other user accounts, copy those entries from the backup file into the new passwd file and restart splunk.
It is already answered:
https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html
Thanks I understand that. I was just curious what username:passwd the app is looking for... I was trying to avoid resetting passwords if possible.
Ah okay, I misunderstood.
At which point is the app looking for credentials? During the install via Splunk Web or via the CLI install (directly or via a Deployment Server?)?
Are you receiving an error message? If so, in which log file and what is the message?
No worries. Under "manage app" when I click on the app upgrade it asks for username/passwd I was updating via Web Console. Error via web console is invalid username/passwd.
Crazy thing is I have current admin/passwd but it sucks if you need the admin/passwd that was used when the app was originally installed and not the current updated one. Thanks for your response
I would be very surprised if that was the case as the TA shouldn't store any credentials as far as I know.
Check in SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/* and see if the are any hard coded password hashes.
Also check SPLUNK_HOME/etc/system/local/* for the same.
I was logged in both ways as myself and I have admin priv and also as the admin user and I'm getting the invalid username/passwd under both. I tried it both ways because I've seen tools that want admin user even if you are indeed an admin. I'll pick this up in the am thanks so much for the insight ( check first thing in the morning).
Good luck!
Have you checked the internal log files for Splunk to see if the is further information?
SPLUNK_HOME/var/log/splunk/splunkd.log
Or search in Splunk: index=_internal error OR warn
I haven't encountered that issue before. Are you signed in as a user with 'admin' as their role?