Change on prem universal forwarder credential

dkordyban · ‎01-18-2022

We have several servers succesfully forwarding eventlogs to our on prem splunk server. No one can remember the credentials when installing the forwarder. What is the best way to handle this problem without breaking forwarding on the other servers?

Thanks

richgalloway · ‎01-18-2022

The forwarder's admin credentials have no bearing on its ability to forward data. The credentials are used only in the user interface (CLI).

To change the password, first create a $SPLUNK_HOME/etc/system/local/user-seed.conf file on the forwarder. The file should look like this:

[user_info]
USERNAME = admin
PASSWORD = somepassword

Then delete $SPLUNK_HOME/etc/passwd and restart the forwarder. When the forwarder starts up it will populate a new passwd file using the contents of user-seed.conf.

---
If this reply helps you, Karma would be appreciated.

SinghK · ‎01-18-2022

If you are saying that you set an admin password during installation you can change it %splunk_home %\etc\passwd rename it passed.bak and restart splunk it will create a new file default passed is I think changeme.

richgalloway · ‎01-18-2022

This method hasn't been supported since an early 7.x release. Splunk does not have a default password any longer.

---
If this reply helps you, Karma would be appreciated.

Change on prem universal forwarder credential

universal forwarder

Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms