Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configure Splunk Forwarder only with admin account

splunkTest13
Explorer
‎03-02-2018 01:41 AM

Hello,

I'm running Splunk free trial 7.0.1.
I need to create an user to configure my forwarder, but not with the admin account.
I try to understand if it's about roles or capacity. But when i create an user, and give it to him admin role, i can't configure my forwarder, login failed.

Another thing is that i already change a couple of time password of admin account. And when i configure my forwarder, old password work. Strange no ? I try to read configuration files, to see if old password were stored, but nothing.

Thanks in advance,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-02-2018 07:35 AM

Hi splunkTest13,
just few additional information:

  • what's the operative system you're using?
  • are you speaking of an operative system user or a Splunk User?
  • what's the user you used for installation and Splunk processes running?

It's possible to install Forwarders using a non admin user, see:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ChoosetheuserSplunkshouldrunas

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

splunkTest13
Explorer
‎03-13-2018 03:18 AM

Hi,

Sorry sorry ... I was really busy on another subject.

  • So, the operating system is RedHat Linux
  • I speak about a Splunk User who will had the same role of Splunk Admin for connecting remote forwarder to the instance of Splunk
  • I use actually the default administrator user --> admin:changeme

But I want to create, like admin, an user like user_forwarder so that when i configure my forwarder on the remote machine, i don't give to technician the credentials of administrator of Splunk.

Thanks a lot.

Regards,

Juliette

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-02-2018 07:35 AM

Hi splunkTest13,
just few additional information:

  • what's the operative system you're using?
  • are you speaking of an operative system user or a Splunk User?
  • what's the user you used for installation and Splunk processes running?

It's possible to install Forwarders using a non admin user, see:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ChoosetheuserSplunkshouldrunas

Bye.
Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2018 05:07 AM

Hi Juliette,
are you speaking about a Splunk user on Forwarder, correct?

Forwarders are usually managed using a Deployment Server (see http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Configuredeploymentclients )
in few words on forwarder run the following commands
splunk set deploy-poll :
splunk restart
and then manage its configurations on your Splunk Enterprise (if you have an All-in-one installation and few forwarders), or on your Deployment Server (if you have many forwarders) deploying Technical Add-ons (see the below url).

Otherwise, if you're making a test or a PoC, you can manually configure forwarders using admin user: there are no reasons to use a different Splunk user (if possible: I never tried!).
Eventually, you could change the default admin password:

splunk edit user admin -password "new_password" -auth admin:current_password

Anyway you can have different passwords between Splunk Enterprise and Forwarders.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

splunkTest13
Explorer
‎03-13-2018 07:44 AM

Hi, thanks again for your answer.
Sorry, but just to be clear : Is that mandatory to use deployment server ?
Because currently, I have 3 forwarders on 3 remote machine. As you say, it was a PoC but it's become a pilote and for security reason the user allowing connection when I do : 

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth admin:changeme

in my remote machine is my admin account.

If i create in Splunk web interface an user with the same role as admin (all the roles), and i try again on my remote server to add forwarder server :

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth juliette:juliette

Then login failed. While nothing is different between admin user and juliette user.

I'm not sure that i explain well my problem, maybe it's my english or maybe i don't understand something in splunk configurations.

Another time,

Thanks a lot.
Regards,
Juliette

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...