Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What is the admin account for on a Universal Forwa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account.
I have just accepted the fact that all splunk nodes require credentials and an account.
Is there an official document or explanation for the reason a UF needs one?
These are windows servers.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands
On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc
Example:
splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus
This requires an admin access on the UF.
That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.
Deactivating via server.conf
[httpServer]
disableDefaultPort = true
So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.
Guilhem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands
On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc
Example:
splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus
This requires an admin access on the UF.
That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.
Deactivating via server.conf
[httpServer]
disableDefaultPort = true
So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.
Guilhem
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
