Archive2

Can you disable auto-login on Splunk Free

Contributor

I want to force admin login on the Splunk Free version, even though it's only one user. Is there a way to do this? I have this on my web.conf:

[default]

[settings]
enable_autocomplete_login = False
Tags (2)
1 Solution

Splunk Employee
Splunk Employee

You could place the Splunk interface behind some other web proxy (e.g. Apache) and restrict access to it that way. You would still require the enterprise version to be able to assign roles though, as everyone would still be accessing the application as the anonymous admin user.

View solution in original post

New Member

I would imagine if you're trying to use Splunk free you would want at least this ability. Since giving access to the console to anyone is not advisable. Because of this, seeing a Splunk free server WEB-UI on a network during a vulnerability assessment is in several different ways a vulnerability. I would imagine that the Splunk team would want to resolve it by forcing you to login to the admin account.

To remediate this issue I've seen anything from using iptables to restrict external access and then bouncing the connection with an ssh tunnel, a SSL frontend proxy, or an ipsec tunnel. It's pretty frustrating for testing and user uptake when you have to implement such a crude cludge to allow for this when all it would take is disabling all other accounts (which IIRC is done on transition from enterprise trial to free) and prompting for login for the same user you are prompted for with the splunk cli.

I'd imagine they've heard this before, but since the implementation space they're impacting is people like myself who log their soho to a remote machine, or the Small/Medium business community who can't afford the license for such a great product it doesn't really behoove them to do this for anything other than goodwill.

0 Karma
Reply

Splunk Employee
Splunk Employee

You seem to imply that an expired license will automatically revert to free, when this is not the case at all. When switching from Enterprise to Free, an admin must log in to make the explicit switch. If a Splunk Enterprise Trial license expires, an admin must log in and explicitly switch from Enterprise to Free. If you need authentication, you can either buy Splunk or use a proxy - it is difficult to see what is a kludge about that.

0 Karma
Reply

Contributor

enableautocompletelogin controls whether your browser remembers the values typed into the username field, not the process of authenticating.

0 Karma
Reply

Splunk Employee
Splunk Employee

You could place the Splunk interface behind some other web proxy (e.g. Apache) and restrict access to it that way. You would still require the enterprise version to be able to assign roles though, as everyone would still be accessing the application as the anonymous admin user.

View solution in original post

Contributor

I used IIS version 7.

0 Karma
Reply

Contributor

That should be fine, I don't need the roles yet, I just need authentication using the default admin account before accessing the rest of the content.

0 Karma
Reply

Splunk Employee
Splunk Employee

Authentication is part of the feature only available in Enterprise version. You need to purchase the Enterprise version to enable the login screen.

0 Karma
Reply

Contributor

Understood, however, access to splunk is still restricted to the default admin account, i.e. if you're performing CLI on splunk, it requires you to supply the admin account, I want that to be the same for the GUI.

0 Karma
Reply