Getting Data In

Why is my authentication.conf app appearing in the apps and slave-apps folder on indexers in our Splunk Enterprise 6.3.2 indexer cluster?

Communicator

Dear All,

I have a deployment server and a single cluster master with two clustered indexers (pretty simple) in this setup.

As documented everywhere, I am distributing the authentication.conf files in Apps and using the cluster master to distribute this.

I created an auth\local\authentication.conf app and I have put this into the master-apps folder on the Cluster Master.

When I look at the Indexers, I see that the auth\local\authentication.conf app is appearing in the slave-apps folder AND in the apps folder.

When I check this in btool, I see that the bindDNpassword in the slave-apps directory is plain text and not encrypted, but Splunk has encrypted the bindDNpassword in the apps folder.

I don't believe that this is expected behaviour - how do I get this to work?

Regards,

BlueSocket

0 Karma
1 Solution

SplunkTrust
SplunkTrust

SplunkTrust
SplunkTrust

Communicator

Good enough for me... I am getting rid of it on the Indexers.

0 Karma

Communicator

Harshil,

This makes sense, from everything that I have seen and understand, but if I need to distribute the authentication.conf to all of the indexers and the cluster master/configuration bundles are the only way, what am to do for items like this? Am I to manually put the app into the /etc/apps directory and then send another Configuration Bundle down to my indexers to get them to pick up the new app?

0 Karma

SplunkTrust
SplunkTrust

@BlueSocket,

I didn't understand why you need to push authentication.conf every time to Indexer cluster because search head sending bundles to Indexers when any search query will execute on search head and it will pass necessary authentication to Indexer, so no need to provide access to any users on Indexer. Only you need to provide access users on search heads.

And if you really want to push authentication.conf in indexer cluster then there will no solution for your requirement as per my knowledge.

Thanks,
Harshil

Communicator

Does anyone know why this might be?

Should I be doing this?

Should I send this in as a bug to Support?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!