Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What is the user-seed.conf file?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the user-seed.conf file?
I'm a bit confused about the user-seed.conf. Based on the documentation provided by Splunk, it seems this is to set up the initial password. Does this apply to Splunk universal forwarders? I am using the Splunk Enterprise version, and when I got to log into the web portion, I do change the default admin password. Do I still need to create a user-seed.conf file and then drop different credentials in there? Splunk doesn't really provide a good context for what this is used for in my opinion.
Here is the documentation I looked at: https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/User-seedconf
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you change the Splunk password, either via the GUI or via the CLI, the $SPLUNK_HOME/etc/passwd file is updated and thereafter user-seed.conf is ignored.
However, if $SPLUNK_HOME//etc/passwd is ever deleted, user-seed.conf will again specify the default admin login password.
So the answer is - no, you don't need to set user-seed.conf unless you plan on removing your passwd file!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer. So does this mean that if I change the initial password on the deployment server or indexer, I don't need to drop the user-seed.conf file in the forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure I understand what you mean. Changing the password of the deployment server or the indexer has no effect on the password of any forwarder.
You must change the password on each splunk instance. If you are not going to change the password on the forwarder, then you should use the user-seed.conf file. It is not encrypted, so the password will appear in clear text. That's pretty lame but I guess it beats leaving the password set to changeme
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
