Getting Data In

How to encrypt password in app outputs.conf?

Path Finder

I am deploying Indexer Cluster settings in an app to multiple Universal Forwarders via the Deployment Server. The issue I have is that they require the Indexer Cluster password to be sent in the /local/outputs.conf file.

App deployment works fine and a new outputs.conf is created on the Universal Forwarder under $SPLUNK_HOME/etc/system/local with the required stanza and encrypted password.

The issue is that the password exists in clear text in 2 places;

Deployment Server - $SPLUNK_HOME/etc/deployment_apps/app_name/local/outputs.conf

Universal Forwarder - $SPLUNK_HOME/etc/apps/app_name/local/outputs.conf

Is there a way for the password to be encrypted at all locations?


This problem seems to be known. Read this section on the docs and it mentions this specifically. It also gives a sort of workaround, too:

Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

By adding this answer the question will pop up to the top of the stack, so maybe someone else will have a better answer.

Path Finder

My current solution is a script which pushes the pass4SymmKey password out to Universal Forwarders, then I deploy an empty app from the Deployment Server called 'restart' with the restart services flag checked which restarts the UF service on all of the UFs, which hashes the password.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!