How to enable password on existing splunk search peer via CLI and through Splunk web?



In our environment we have dedicated servers for indexers, and the search heads connect to them. All security is handled at the search head. The way it is right now, anyone can install a Splunk search head (even on their own desktop) and gain access to the indexers without any sort of security controls.
There’s a setting that you can put on the indexers that requires a password from the search head to make them a search peer. We need to enable that on all of our indexers.
Could somebody direct us how to set up authentication settings via CLI and Splunk Web.

Tags (1)
0 Karma



That shouldn't be possible with distributed search. Also the password your talking about is actually the reverse. Its to allow a search head to get events from a particular index. This need to be manually added.

Normally, on a new search head, you would have to click on manager/distributed search/search peers then add new to add the existing indexes.

It then prompts for the username and password (splunk index admin). Without these authentication will fail and you won't be able to search those indexes. The error looks something like this "Encountered the following error while trying to save: In handler 'distsearch-peer': Status 401 while sending public key to search peer <html><body><head>401 Unauthorized.</head></body></html>"

If a valid account is used then the search heads one-time authenticates against indexes using the indexes own account. I believe during this initial setup it sends the search heads public key to the index which it then uses for all later communication.

So unless you've copied these keys around already OR given out the indexes admin password to general users they shouldn't be able to get access to index data.

CLI adding a index to a search head : splunk add search-server -host -auth admin:password -remoteUsername admin -remotePassword passremote

More details here :