Deployment Architecture
Highlighted

Change forwarder password in a large deployment

Splunk Employee
Splunk Employee

Hello, If I wanted to deploy out a large number of forwarders, what is the best practice to change the default splunkd password?

Thanks!

Anyone?!?! Anyone?!?!

Highlighted

Re: Change forwarder password in a large deployment

Ultra Champion

If you are talking about setting an initial password at installation time, I guess that you could add

<path>/bin/splunk edit user admin -password <your new passswd> -auth admin:changeme

to your install/post-install script. However this depends on how you choose to deploy and on what platform. The bigger issue is how to change it at a later date. Unfortunately there is no safe way of doing it via the DeploymentServer. Neither can you upgrade the forwarder that way.

Sorry,

Kristian

Highlighted

Re: Change forwarder password in a large deployment

Communicator

You've probably solved your issue, but...

I've deployed to a hundred or so Linux systems manually[1] via scripting. On my UFs there is only one account, admin, so I just copy the entire passwd file there.

Here's a few lines from my install script. I've previously copied files to /tmp. Running as the Splunk user (uid=1984), in $SPLUNK_HOME, any my semi-normal user, these if statements are run:

# Splunk section
if [ "$(id -u)" = "1984" ] ; then
tar zxvf /tmp/my-splunkuf.tgz
cp /tmp/passwd splunkforwarder/etc
chmod 600 splunkforwarder/etc/passwd
/opt/splunk/splunkforwarder/bin/splunk start --accept-license
exit 0
fi

(Another comment, # is messing up the formatting) sudo-priv-user section
if [ "$(id -u)" = "10101" ] ; then
sudo /opt/splunk/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo chmod a+r /var/log/messages
sudo rm /tmp/passwd
rm /tmp/splunkme
rm /tmp/my-splunkuf.tgz
rm /tmp/adduser-splunk
fi

I have a custom tarball that I give to other groups for installation. Among other things, it includes a custom outputs.conf pointing at my indexers and $SPLUNK_HOME/splunkforwarder/bin is included in the Splunk user's $PATH in .profile. The other groups may have their own preferred password.

[1]"Manually" is misleading. I run a few shell scripts that copy files to multiple systems targetted as UFs, log in and run those scripts, then clean up after themselves. SSH keys are enabled so I don't have to enter my password hundreds of times.
If you understand this example, then you know what I mean.

for i in $( cat new-UF-list ) ; do
scp adduser-splunk splunkme file1 file2 file3 ${i}/tmp
ssh $i /tmp/adduser-splunk
ssh splunk@${i} /tmp/splunkme
ssh $i /tmp/splunkme
done

View solution in original post