Deployment Architecture

Configure Splunk Forwarder only with admin account

splunkTest13
Explorer

Hello,

I'm running Splunk free trial 7.0.1.
I need to create an user to configure my forwarder, but not with the admin account.
I try to understand if it's about roles or capacity. But when i create an user, and give it to him admin role, i can't configure my forwarder, login failed.

Another thing is that i already change a couple of time password of admin account. And when i configure my forwarder, old password work. Strange no ? I try to read configuration files, to see if old password were stored, but nothing.

Thanks in advance,

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi splunkTest13,
just few additional information:

  • what's the operative system you're using?
  • are you speaking of an operative system user or a Splunk User?
  • what's the user you used for installation and Splunk processes running?

It's possible to install Forwarders using a non admin user, see:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ChoosetheuserSplunkshouldrunas

Bye.
Giuseppe

View solution in original post

splunkTest13
Explorer

Hi,

Sorry sorry ... I was really busy on another subject.

  • So, the operating system is RedHat Linux
  • I speak about a Splunk User who will had the same role of Splunk Admin for connecting remote forwarder to the instance of Splunk
  • I use actually the default administrator user --> admin:changeme

But I want to create, like admin, an user like user_forwarder so that when i configure my forwarder on the remote machine, i don't give to technician the credentials of administrator of Splunk.

Thanks a lot.

Regards,

Juliette

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi splunkTest13,
just few additional information:

  • what's the operative system you're using?
  • are you speaking of an operative system user or a Splunk User?
  • what's the user you used for installation and Splunk processes running?

It's possible to install Forwarders using a non admin user, see:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/RunSplunkasadifferentornon-rootuser
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ChoosetheuserSplunkshouldrunas

Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi Juliette,
are you speaking about a Splunk user on Forwarder, correct?

Forwarders are usually managed using a Deployment Server (see http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Configuredeploymentclients )
in few words on forwarder run the following commands
splunk set deploy-poll :
splunk restart
and then manage its configurations on your Splunk Enterprise (if you have an All-in-one installation and few forwarders), or on your Deployment Server (if you have many forwarders) deploying Technical Add-ons (see the below url).

Otherwise, if you're making a test or a PoC, you can manually configure forwarders using admin user: there are no reasons to use a different Splunk user (if possible: I never tried!).
Eventually, you could change the default admin password:

splunk edit user admin -password "new_password" -auth admin:current_password

Anyway you can have different passwords between Splunk Enterprise and Forwarders.

Bye.
Giuseppe

0 Karma

splunkTest13
Explorer

Hi, thanks again for your answer.
Sorry, but just to be clear : Is that mandatory to use deployment server ?
Because currently, I have 3 forwarders on 3 remote machine. As you say, it was a PoC but it's become a pilote and for security reason the user allowing connection when I do :

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth admin:changeme

in my remote machine is my admin account.

If i create in Splunk web interface an user with the same role as admin (all the roles), and i try again on my remote server to add forwarder server :

[host /]$ sudo /opt/splunkforwarder/bin/splunk add forward-server ip:port -auth juliette:juliette

Then login failed. While nothing is different between admin user and juliette user.

I'm not sure that i explain well my problem, maybe it's my english or maybe i don't understand something in splunk configurations.

Another time,

Thanks a lot.
Regards,
Juliette

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...