We have several servers succesfully forwarding eventlogs to our on prem splunk server. No one can remember the credentials when installing the forwarder. What is the best way to handle this problem without breaking forwarding on the other servers?
Thanks
The forwarder's admin credentials have no bearing on its ability to forward data. The credentials are used only in the user interface (CLI).
To change the password, first create a $SPLUNK_HOME/etc/system/local/user-seed.conf file on the forwarder. The file should look like this:
[user_info]
USERNAME = admin
PASSWORD = somepassword
Then delete $SPLUNK_HOME/etc/passwd and restart the forwarder. When the forwarder starts up it will populate a new passwd file using the contents of user-seed.conf.
If you are saying that you set an admin password during installation you can change it %splunk_home %\etc\passwd rename it passed.bak and restart splunk it will create a new file default passed is I think changeme.
This method hasn't been supported since an early 7.x release. Splunk does not have a default password any longer.