Getting Data In

Why are my credentials not working when I run Splunk forwarder commands?

mawomommoh
Path Finder

Whenever I run Splunk forwarder commands line splunk list monitor or splunk list forward-server I get prompted to enter in a username and password but despite putting in the right credentials I still get a Login failed error. My other colleagues installed their forwarders the same way I did and they use the admin/changeme credentials when that prompt arises and it works, but I don't know why it does not work for me. I have used my personal credentials but it still did not work. I have also been added as an admin to the Splunk server but still not difference. I really don't know where the issue is coming from.

Any help would be appreciated. Thanks

0 Karma

DennisWoerner
Explorer

Hi @mawomommoh,

First, please don't use the standard credentials as it's a big security problem.

Deleting $SPLUNK_HOME/etc/passwd is a good way to restore the default admin credentials.

After that, I would totally recommend to change the default password to anything else by typing this command on the CLI:

splunk edit user <username> -auth admin:<admin_password> --newpassword  <password>

If you're using a 7.x Universal Forwarder, I guess you had to enter an admin password while/after the installation, so admin/changeme won't work.

See also here:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Changeapassword#Change_a_user_password_i...

ddrillic
Ultra Champion

Just delete the $SPLUNK_HOME/etc/passwd...

0 Karma

mawomommoh
Path Finder

Thanks.

I deleted the passwd file and the issue is resolved for the the splunk restart command, but the issue still remains when these two commands are ran: splunk list monitor and splunk list forward-server. It still asks for credentials when those two are ran.

0 Karma

ddrillic
Ultra Champion

The default admin/changeme should work now...

0 Karma

mawomommoh
Path Finder

admin/changeme still doesn't work

0 Karma

MuS
SplunkTrust
SplunkTrust

Are you sure you delete the right passwd file, and restarted Splunk immediately after deleting it? Also, did you enter the changeme pwd anywhere else (like just in the terminal, in a text editor or so) just to validate there is no weird keyboard behaviour or weird keyboard layout issue?

0 Karma

jamesjarrett
Path Finder

So this is a very old question but i just wanted to give the solution for any version post 7.1+.  Normally the mgmt port being off for a Universal Forwarder is a no-brainer, but sometimes it might actually be nice to see how the UF is handling some sed/regex/etc by using btool directly. you can go look at configs all day but if somethings being clobbered....

if you cannot login, you never set a password (Looking at you, Windows 'msiexec.exe /quiet' people...). to do this, or to reset your password for a universal forwarder, delete the etc/passwd in the  ***splunk*** directory (now looking at you, Linux people - dont do that mistake... ), and place a user-seed.conf in system local. Details can be found here: https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/User-seedconf.  Oh, and your management port might be disabled in server.conf; check that too. and web.conf if the port was assigned to something else. 

was rummaging around google for something completely different but, stumbled across this and had to update it....

 

0 Karma

fahmed11
Explorer

Thanks for your post. Found it after an hour of googling. Splunk Community should really deprecate answers older than a certain version or keep them separate in a historical archive to prevent the majority of their user base on newer versions from endlessly searching for relevant answers.

In our case, the issue was the same as what you described (silent install of the Windows Universal Forwarder using the /quiet flag). Here's what we did:

1. Create the following text file (replace the correct path for your Splunk UF install):

  • C:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf

2. Add the following text into the file:

[user_info]
USERNAME = admin
PASSWORD = changeme

3. Restart Splunk Fowarder service (e.g. manually within services.msc console).

4. Once the service restarts, it will remove your user-seed.conf file and put a hashed version of your password (changeme in our case) into a passwd file in the path below. We don't really need to know this anymore, but if you were ever wondering why it was missing in the first place, now you have it.

C:\Program Files\SplunkUniversalForwarder\etc\passwd

 

5. Now you can also change your password using the previously configured password using the command line below:

                cd 'C:\Program Files\SplunkUniversalForwarder\bin'
                .\splunk edit user admin -auth admin:changeme -password <new_strong_password>
   
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...