Getting Data In

What is the admin account for on a Universal Forwarder?

Glasses
Builder

I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account.
I have just accepted the fact that all splunk nodes require credentials and an account.
Is there an official document or explanation for the reason a UF needs one?

These are windows servers.
Thank you.

0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

View solution in original post

guilmxm
SplunkTrust
SplunkTrust

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...