Deployment Architecture
Highlighted

Highly firewalled Splunk Server

New Member

I'm trying to automate the unattended setup of a Splunk server (will live in a temporary VM) so that the only accessible external services will be port 22 for SSH access and would like to check my thought process please 🙂

I'm planning on doing this by binding all of the various Splunk components to 127/localhost and then backing this up with UFW. To access the Splunk WebUI through an SSH portforward from my local machine. I only need to
monitor files / data on the local machine.

My current plan is to

  • Echo some credentials into user-seed.conf in /etc/system/local/user-seed.conf
  • Add a web.conf in /etc/system/local/web.conf containing [settings] and httpport = 1234
  • Edit the above web.conf with mgmtHostPort = 127.0.0.1:8089
  • Amend the splunk-launch.conf in /opt/splunk/etc with SPLUNK_BINDIP=127.0.0.1

Create ufw rules that:

ufw allow 127.0.0.1 to any port 9997
ufw allow 127.0.0.1 to any port 8089
ufw allow 127.0.0.1 to any port 1234

Then start Splunk:

splunk start --accept-license --no-prompt --answer-yes
splunk enable boot-start

This should put all Splunk components binding to 127 rather than the IP of eth0, whilst still allowing the various components like CLI and WebUI to communicate with Splunkd? Is there a better way in terms of Splunk best practice / security of achieving this?

Thank you!

0 Karma
Highlighted

Re: Highly firewalled Splunk Server

New Member

Does anyone have any ideas on the best way to config this please? Much appreciated 😄

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.