Getting Data In

Why are my credentials not working when I run Splunk forwarder commands?

Path Finder

Whenever I run Splunk forwarder commands line splunk list monitor or splunk list forward-server I get prompted to enter in a username and password but despite putting in the right credentials I still get a Login failed error. My other colleagues installed their forwarders the same way I did and they use the admin/changeme credentials when that prompt arises and it works, but I don't know why it does not work for me. I have used my personal credentials but it still did not work. I have also been added as an admin to the Splunk server but still not difference. I really don't know where the issue is coming from.

Any help would be appreciated. Thanks

0 Karma

Explorer

Hi @mawomommoh,

First, please don't use the standard credentials as it's a big security problem.

Deleting $SPLUNK_HOME/etc/passwd is a good way to restore the default admin credentials.

After that, I would totally recommend to change the default password to anything else by typing this command on the CLI:

splunk edit user <username> -auth admin:<admin_password> --newpassword  <password>

If you're using a 7.x Universal Forwarder, I guess you had to enter an admin password while/after the installation, so admin/changeme won't work.

See also here:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Changeapassword#Change_a_user_password_i...

Ultra Champion

Just delete the $SPLUNK_HOME/etc/passwd...

0 Karma

Path Finder

Thanks.

I deleted the passwd file and the issue is resolved for the the splunk restart command, but the issue still remains when these two commands are ran: splunk list monitor and splunk list forward-server. It still asks for credentials when those two are ran.

0 Karma

Ultra Champion

The default admin/changeme should work now...

0 Karma

Path Finder

admin/changeme still doesn't work

0 Karma

SplunkTrust
SplunkTrust

Are you sure you delete the right passwd file, and restarted Splunk immediately after deleting it? Also, did you enter the changeme pwd anywhere else (like just in the terminal, in a text editor or so) just to validate there is no weird keyboard behaviour or weird keyboard layout issue?

0 Karma