Getting Data In

How to change default "acceptFrom" for all Splunk REST API endpoints?

SplunkPersonal
Path Finder

In the restmap.conf file, you can specify acceptFrom to limit access to Splunk REST API endpoints to specific IPs. By default (and if unspecified), acceptFrom is * allowing access from all IP addresses. Is there a way to change this default for all Splunk REST API endpoints? I'd like to more tightly control access to these APIs, and defaulting open requires more effort to lockdown and makes it more likely to result in unintentionally leaving an API open. Thanks.

0 Karma
1 Solution

SplunkPersonal
Path Finder

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

View solution in original post

0 Karma

SplunkPersonal
Path Finder

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

0 Karma

SplunkPersonal
Path Finder

Thank you for the suggestion. That was a good idea. I tested it out, but unfortunately it doesn't work for my specific situation. Using acceptFrom in server.conf for [httpServer], I was able to successfully limit what IPs could use the REST API. But when I used restmap.conf to try to override the fail closed policy for a specific API endpoint with acceptFrom=*, it still rejected connections from non-whitelisted IP addresses. I ultimately need something that allows me to override that more restrictive default policy with a less restrictive but endpoint-specific policy.

Thanks for the idea.

0 Karma

xpac
SplunkTrust
SplunkTrust

Ah, yeah, that won't possible with that approach.

You could try and put

[global]
acceptFrom = whatever

in the restmap.conf, and just override in your own use case with a more specific stanza. You could also try putting that in a [default] stanza instead of global.
Its not explicitly mentioned in the doc, but sometimes things still work.

If you try this, please let us know if it worked!

0 Karma

SplunkPersonal
Path Finder

I had previously tried [general], [.], [*], and []. None of those worked. I hadn't thought of global or default, good idea. Global was a no go, but [default] worked. Great call on that and thank you!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...