I'm a bit confused about the user-seed.conf. Based on the documentation provided by Splunk, it seems this is to set up the initial password. Does this apply to Splunk universal forwarders? I am using the Splunk Enterprise version, and when I got to log into the web portion, I do change the default admin password. Do I still need to create a user-seed.conf file and then drop different credentials in there? Splunk doesn't really provide a good context for what this is used for in my opinion.
Here is the documentation I looked at: https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/User-seedconf
Thanks in advance!
When you change the Splunk password, either via the GUI or via the CLI, the $SPLUNK_HOME/etc/passwd file is updated and thereafter user-seed.conf is ignored.
However, if $SPLUNK_HOME//etc/passwd is ever deleted, user-seed.conf will again specify the default admin login password.
So the answer is - no, you don't need to set user-seed.conf unless you plan on removing your passwd file!
Thank you for the answer. So does this mean that if I change the initial password on the deployment server or indexer, I don't need to drop the user-seed.conf file in the forwarder?
I am not sure I understand what you mean. Changing the password of the deployment server or the indexer has no effect on the password of any forwarder.
You must change the password on each splunk instance. If you are not going to change the password on the forwarder, then you should use the user-seed.conf file. It is not encrypted, so the password will appear in clear text. That's pretty lame but I guess it beats leaving the password set to changeme