Do you need to keep the same splunk.secret file on...

sreejith2k2 · ‎02-13-2018

As per the Splunk doc on Deploy secure passwords across multiple servers the splunk.secret file will be automatically replicated by the Search Head captain during the initial cluster deployment.

Though Indexer cluster is entirely different to the Search Head Clustering and we have 50+ indexers in the multisite cluster, my queries are

Do you need to keep the same Splunk.secret file on all the Indexer peers.
Say, if we keep seperate splunk.secret on each indexer server and If we keep the plain text passwords in the server/inputs/outputs/authentication.conf files in the CyberArk, do we really need to worry on splunk.secret?

naveencardinalh · ‎02-14-2018

Yes, splunk.secret file should be same across all the cluster members.

sreejith2k2 · ‎02-14-2018

Hi naveencardinalhealth, Thanks. I havent seen any documentation within the splunk docs. For SH Cluster, I do agree with you (https://docs.splunk.com/Documentation/Splunk/latest/Security/Deploysecurepasswordsacrossmultipleserv...) but for indexer i havent see any documentation.

naveencardinalh · ‎02-14-2018

You need to keep the same splunk.secret file in both indexers, shc layer, deployment server and HF's..

teunlaan · ‎02-14-2018

1) No you don't need to
2) you are OK, if you keep everything in plain text

sreejith2k2 · ‎02-14-2018

2) you are OK, if you keep everything in plain text - but once the splunk is restarted, it will encrypt the passwords automatically.

Do you need to keep the same splunk.secret file on all the Indexer peers?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?