Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change forwarder password in a large deployment

DrewO
Splunk Employee
Splunk Employee
‎12-07-2011 10:06 AM

Hello, If I wanted to deploy out a large number of forwarders, what is the best practice to change the default splunkd password?

Thanks!

Anyone?!?! Anyone?!?!

Reply
1 Solution
Solved! Jump to solution
Solution

I_am_Jeff
Communicator
‎11-05-2012 12:58 PM

You've probably solved your issue, but...

I've deployed to a hundred or so Linux systems manually[1] via scripting. On my UFs there is only one account, admin, so I just copy the entire passwd file there.

Here's a few lines from my install script. I've previously copied files to /tmp. Running as the Splunk user (uid=1984), in $SPLUNK_HOME, any my semi-normal user, these if statements are run:

# Splunk section

if [ "$(id -u)" = "1984" ] ; then

  tar zxvf /tmp/my-splunkuf.tgz

  cp /tmp/passwd splunkforwarder/etc

  chmod 600 splunkforwarder/etc/passwd

  /opt/splunk/splunkforwarder/bin/splunk start --accept-license

  exit 0

fi

(Another comment, # is messing up the formatting) sudo-priv-user section
if [ "$(id -u)" = "10101" ] ; then
sudo /opt/splunk/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo chmod a+r /var/log/messages
sudo rm /tmp/passwd
rm /tmp/splunkme
rm /tmp/my-splunkuf.tgz
rm /tmp/adduser-splunk
fi

I have a custom tarball that I give to other groups for installation. Among other things, it includes a custom outputs.conf pointing at my indexers and $SPLUNK_HOME/splunkforwarder/bin is included in the Splunk user's $PATH in .profile. The other groups may have their own preferred password.

[1]"Manually" is misleading. I run a few shell scripts that copy files to multiple systems targetted as UFs, log in and run those scripts, then clean up after themselves. SSH keys are enabled so I don't have to enter my password hundreds of times.
If you understand this example, then you know what I mean.

for i in $( cat new-UF-list ) ; do

  scp adduser-splunk splunkme file1 file2 file3 ${i}/tmp

  ssh $i /tmp/adduser-splunk

  ssh splunk@${i} /tmp/splunkme

  ssh $i /tmp/splunkme

done

View solution in original post

Reply
Solved! Jump to solution
Solution

I_am_Jeff
Communicator
‎11-05-2012 12:58 PM

You've probably solved your issue, but...

I've deployed to a hundred or so Linux systems manually[1] via scripting. On my UFs there is only one account, admin, so I just copy the entire passwd file there.

Here's a few lines from my install script. I've previously copied files to /tmp. Running as the Splunk user (uid=1984), in $SPLUNK_HOME, any my semi-normal user, these if statements are run:

# Splunk section

if [ "$(id -u)" = "1984" ] ; then

  tar zxvf /tmp/my-splunkuf.tgz

  cp /tmp/passwd splunkforwarder/etc

  chmod 600 splunkforwarder/etc/passwd

  /opt/splunk/splunkforwarder/bin/splunk start --accept-license

  exit 0

fi

(Another comment, # is messing up the formatting) sudo-priv-user section
if [ "$(id -u)" = "10101" ] ; then
sudo /opt/splunk/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo chmod a+r /var/log/messages
sudo rm /tmp/passwd
rm /tmp/splunkme
rm /tmp/my-splunkuf.tgz
rm /tmp/adduser-splunk
fi

I have a custom tarball that I give to other groups for installation. Among other things, it includes a custom outputs.conf pointing at my indexers and $SPLUNK_HOME/splunkforwarder/bin is included in the Splunk user's $PATH in .profile. The other groups may have their own preferred password.

[1]"Manually" is misleading. I run a few shell scripts that copy files to multiple systems targetted as UFs, log in and run those scripts, then clean up after themselves. SSH keys are enabled so I don't have to enter my password hundreds of times.
If you understand this example, then you know what I mean.

for i in $( cat new-UF-list ) ; do

  scp adduser-splunk splunkme file1 file2 file3 ${i}/tmp

  ssh $i /tmp/adduser-splunk

  ssh splunk@${i} /tmp/splunkme

  ssh $i /tmp/splunkme

done

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-02-2012 09:13 AM

If you are talking about setting an initial password at installation time, I guess that you could add 

<path>/bin/splunk edit user admin -password <your new passswd> -auth admin:changeme

to your install/post-install script. However this depends on how you choose to deploy and on what platform. The bigger issue is how to change it at a later date. Unfortunately there is no safe way of doing it via the DeploymentServer. Neither can you upgrade the forwarder that way.

Sorry,

Kristian

Reply
Get Updates on the Splunk Community!

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...