Getting Data In

Globally change universal forwarder password

antlefebvre
Communicator

I have the UF deployed on around 2000 windows clients. Both server and workstation editions. What would be the best way to go about universally changing the default password on these once installed?

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

A quick way is to setup a windows scripted input. Inside the scripted input, you run the command:

$SPLUNK_HOME\bin\splunk.exe edit user admin -password $NEWPASSWORD -auth admin:changeme

Once this is run, you can delete the input from the forwarders. It won't run correctly again, because the admin password is now changed. After they have all been updated, you can remove the input. I'm assuming you have Deployment Server

View solution in original post

shawno
New Member

/opt/splunkforwarder/bin/splunk edit user admin -password $NEWPASSWORD

This doesn't work - how can I change the password without knowing the default or entered password for the forwarder?

Thanks

0 Karma

woodcock
Esteemed Legend

Try the "UF password changer" app!

https://splunkbase.splunk.com/app/2722/

sdawsonkg
Path Finder

There is no documentation available for this app.

0 Karma

Sayanta_Basak_I
Explorer

Hi @woodcock

I have tried using this app and it does not seem to work out as desired. I have enabled the app but still the forwarder are running with old default password. Am I missing anything here

Regards

0 Karma

woodcock
Esteemed Legend

Yes, splunk has changed many things about auth/passwords since this app was last updated. I am pretty sure that @scruse is no longer updating it but maybe he will comment.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

A quick way is to setup a windows scripted input. Inside the scripted input, you run the command:

$SPLUNK_HOME\bin\splunk.exe edit user admin -password $NEWPASSWORD -auth admin:changeme

Once this is run, you can delete the input from the forwarders. It won't run correctly again, because the admin password is now changed. After they have all been updated, you can remove the input. I'm assuming you have Deployment Server

View solution in original post

antlefebvre
Communicator

I do not have a deployment server. Working on that one this week. I'll do this through a login script. Thank you.

0 Karma