Getting Data In

What is the admin account for on a Universal Forwarder?

Glasses
Builder

I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account.
I have just accepted the fact that all splunk nodes require credentials and an account.
Is there an official document or explanation for the reason a UF needs one?

These are windows servers.
Thank you.

0 Karma
1 Solution

guilmxm
Influencer

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

View solution in original post

woodcock
Esteemed Legend
0 Karma

guilmxm
Influencer

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...