Getting Data In

Can you change the admin user password on forwarder if you dont know the current?

jbleich
Path Finder

I have a forwarder in which we forgot the admin password. Right now it's causing the vmware app to only partially work. Before submitting a ticket on that I really need to know if i can get that password changed.

I'm using >splunk edit user admin -password "new_password" -auth admin:current_password, but obviously dont know the current.

Tags (2)

jbillings
SplunkTrust
SplunkTrust

On 7.1 or newer, you'll need to use the user.seed.conf. Hurricane Labs has a good rundown on how to do it.
https://www.hurricanelabs.com/splunk-tutorials/splunk-7-1-performing-a-splunk-password-reset

0 Karma

Yasaswy
Contributor

Yes. You can rename the $SPLUNKHOME/etc/passswd and restart splunkforwarder to rest it to default "changeme".

dfrankekcg
Explorer

This worked for me, allowed me to safely change the admin password of a heavy forwarder to the default--which I changed to something more secure right away.

0 Karma

Yasaswy
Contributor

Sure.If you installed it in the default location (/opt/splunkforwarder)
1)mv /opt/splunkforwarder/etc/passwd /opt/splunkforwarder/etc/passwd_OLD
3)cd /opt/splunkforwarder/bin
4)./splunk restart

you should now be able to login with default password "changeme".

on Windows ... go to install directory and rename the passwd file under etc.

jbleich
Path Finder

I'm very much a splunk newbie, can you be a bit more specific or point me to some documentation w/ some steps to do this task.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...