Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change default "acceptFrom" for all Splunk REST API endpoints?

SplunkPersonal
Path Finder
‎05-11-2018 08:28 AM

In the restmap.conf file, you can specify acceptFrom to limit access to Splunk REST API endpoints to specific IPs. By default (and if unspecified), acceptFrom is * allowing access from all IP addresses. Is there a way to change this default for all Splunk REST API endpoints? I'd like to more tightly control access to these APIs, and defaulting open requires more effort to lockdown and makes it more likely to result in unintentionally leaving an API open. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SplunkPersonal
Path Finder
‎05-12-2018 10:08 AM

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SplunkPersonal
Path Finder
‎05-12-2018 10:08 AM

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

0 Karma
Reply
Solved! Jump to solution

SplunkPersonal
Path Finder
‎05-12-2018 04:45 AM

Thank you for the suggestion. That was a good idea. I tested it out, but unfortunately it doesn't work for my specific situation. Using acceptFrom in server.conf for [httpServer], I was able to successfully limit what IPs could use the REST API. But when I used restmap.conf to try to override the fail closed policy for a specific API endpoint with acceptFrom=*, it still rejected connections from non-whitelisted IP addresses. I ultimately need something that allows me to override that more restrictive default policy with a less restrictive but endpoint-specific policy.

Thanks for the idea.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-12-2018 05:40 AM

Ah, yeah, that won't possible with that approach.

You could try and put

[global]
acceptFrom = whatever

in the restmap.conf, and just override in your own use case with a more specific stanza. You could also try putting that in a [default] stanza instead of global.
Its not explicitly mentioned in the doc, but sometimes things still work.

If you try this, please let us know if it worked!

0 Karma
Reply
Solved! Jump to solution

SplunkPersonal
Path Finder
‎05-12-2018 10:01 AM

I had previously tried [general], [.], [*], and []. None of those worked. I hadn't thought of global or default, good idea. Global was a no go, but [default] worked. Great call on that and thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...