Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What is the admin account for on a Universal F...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account.
I have just accepted the fact that all splunk nodes require credentials and an account.
Is there an official document or explanation for the reason a UF needs one?
These are windows servers.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands
On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc
Example:
splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus
This requires an admin access on the UF.
That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.
Deactivating via server.conf
[httpServer]
disableDefaultPort = true
So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.
Guilhem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands
On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc
Example:
splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus
This requires an admin access on the UF.
That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.
Deactivating via server.conf
[httpServer]
disableDefaultPort = true
So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.
Guilhem
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
