Getting Data In

How to change default "acceptFrom" for all Splunk REST API endpoints?

SplunkPersonal
Path Finder

In the restmap.conf file, you can specify acceptFrom to limit access to Splunk REST API endpoints to specific IPs. By default (and if unspecified), acceptFrom is * allowing access from all IP addresses. Is there a way to change this default for all Splunk REST API endpoints? I'd like to more tightly control access to these APIs, and defaulting open requires more effort to lockdown and makes it more likely to result in unintentionally leaving an API open. Thanks.

0 Karma
1 Solution

SplunkPersonal
Path Finder

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

View solution in original post

0 Karma

SplunkPersonal
Path Finder

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

0 Karma

SplunkPersonal
Path Finder

Thank you for the suggestion. That was a good idea. I tested it out, but unfortunately it doesn't work for my specific situation. Using acceptFrom in server.conf for [httpServer], I was able to successfully limit what IPs could use the REST API. But when I used restmap.conf to try to override the fail closed policy for a specific API endpoint with acceptFrom=*, it still rejected connections from non-whitelisted IP addresses. I ultimately need something that allows me to override that more restrictive default policy with a less restrictive but endpoint-specific policy.

Thanks for the idea.

0 Karma

xpac
SplunkTrust
SplunkTrust

Ah, yeah, that won't possible with that approach.

You could try and put

[global]
acceptFrom = whatever

in the restmap.conf, and just override in your own use case with a more specific stanza. You could also try putting that in a [default] stanza instead of global.
Its not explicitly mentioned in the doc, but sometimes things still work.

If you try this, please let us know if it worked!

0 Karma

SplunkPersonal
Path Finder

I had previously tried [general], [.], [*], and []. None of those worked. I hadn't thought of global or default, good idea. Global was a no go, but [default] worked. Great call on that and thank you!

0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...