Getting Data In

Globally change universal forwarder password

antlefebvre
Communicator

I have the UF deployed on around 2000 windows clients. Both server and workstation editions. What would be the best way to go about universally changing the default password on these once installed?

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

A quick way is to setup a windows scripted input. Inside the scripted input, you run the command:

$SPLUNK_HOME\bin\splunk.exe edit user admin -password $NEWPASSWORD -auth admin:changeme

Once this is run, you can delete the input from the forwarders. It won't run correctly again, because the admin password is now changed. After they have all been updated, you can remove the input. I'm assuming you have Deployment Server

View solution in original post

shawno
New Member

/opt/splunkforwarder/bin/splunk edit user admin -password $NEWPASSWORD

This doesn't work - how can I change the password without knowing the default or entered password for the forwarder?

Thanks

0 Karma

woodcock
Esteemed Legend

Try the "UF password changer" app!

https://splunkbase.splunk.com/app/2722/

sdawsonkg
Path Finder

There is no documentation available for this app.

0 Karma

Sayanta_Basak_I
Explorer

Hi @woodcock

I have tried using this app and it does not seem to work out as desired. I have enabled the app but still the forwarder are running with old default password. Am I missing anything here

Regards

0 Karma

woodcock
Esteemed Legend

Yes, splunk has changed many things about auth/passwords since this app was last updated. I am pretty sure that @scruse is no longer updating it but maybe he will comment.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

A quick way is to setup a windows scripted input. Inside the scripted input, you run the command:

$SPLUNK_HOME\bin\splunk.exe edit user admin -password $NEWPASSWORD -auth admin:changeme

Once this is run, you can delete the input from the forwarders. It won't run correctly again, because the admin password is now changed. After they have all been updated, you can remove the input. I'm assuming you have Deployment Server

antlefebvre
Communicator

I do not have a deployment server. Working on that one this week. I'll do this through a login script. Thank you.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...