Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to enable password on existing splunk search peer via CLI and through Splunk web?

mike7860
Explorer
‎11-02-2012 09:16 AM

Hi

In our environment we have dedicated servers for indexers, and the search heads connect to them. All security is handled at the search head. The way it is right now, anyone can install a Splunk search head (even on their own desktop) and gain access to the indexers without any sort of security controls.
There’s a setting that you can put on the indexers that requires a password from the search head to make them a search peer. We need to enable that on all of our indexers.
Could somebody direct us how to set up authentication settings via CLI and Splunk Web.

Tags (1)
0 Karma
Reply

Lucas_K
Motivator
‎11-04-2012 08:22 PM

Mike,

That shouldn't be possible with distributed search. Also the password your talking about is actually the reverse. Its to allow a search head to get events from a particular index. This need to be manually added.

Normally, on a new search head, you would have to click on manager/distributed search/search peers then add new to add the existing indexes.

It then prompts for the username and password (splunk index admin). Without these authentication will fail and you won't be able to search those indexes. The error looks something like this "Encountered the following error while trying to save: In handler 'distsearch-peer': Status 401 while sending public key to search peer https://11.1.1.1:8089: <html><body><head>401 Unauthorized.</head></body></html>"

If a valid account is used then the search heads one-time authenticates against indexes using the indexes own account. I believe during this initial setup it sends the search heads public key to the index which it then uses for all later communication.

So unless you've copied these keys around already OR given out the indexes admin password to general users they shouldn't be able to get access to index data.

CLI adding a index to a search head : splunk add search-server -host 10.10.10.10:8089 -auth admin:password -remoteUsername admin -remotePassword passremote

More details here : http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configuredistributedsearch

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...