Installation

Unable to login Splunk instance with the admin login credentials created using installation at Ubuntu

indut
Path Finder

Hi, Towards Splunk tool installation completion step, when I accept the license and start Splunk service I was asked to create a login which was successful and completed the installation process.
When I launch <> it will ask me to enter the login details used while creating the account if it is the first time login.
Splunk is not accepting login details created during the installation time.
I tried admin/changeme as well and it did not work.
Am I missing something? Please advise.
Thanks in advance.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi indut,
from the version 7.1.0, at installation you have to define the admin password, it isn't yet "changeme".

When you install Splunk Enterprise, you must create a username and password for your administrator account. If you do not specify any arguments when you install the software, it prompts you to create a username and a password during the installation process.
If you do not create the password during installation, an unusable installation can occur. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting Splunk Enterprise and also do not provide an administrator password in user-seed.conf. In such a case, you must create the administrator credentials manually for the instance to be accessible.
If you upgrade from an older version of Splunk Enterprise, the installation uses the old administrator credentials.
( see https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Secureyouradminaccount )

If you don't remember your admin password, you can reset it following these steps:
Prior 7.1.0

  • Stop splunk service.
  • Move the $SPLUNK_HOME/etc/passwd file to $SPLUNK_HOME/etc/passwd.bak.
  • Start Splunk.
  • After the restart you should be able to login using the default login (admin/changeme).

After 7.1.0

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password="

Bye.
Giuseppe

View solution in original post

deshikmashudhi
New Member

i was unable to login with my credentials can u pls help me

0 Karma

zuehlaa
New Member

Have you tried resetting the admin password?

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Secureyouradminaccount

You must have the ability to write to the underlying password file ($SPLUNK_HOME/etc/passwd).

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

You must restart Splunk Enterprise after making this change.

0 Karma

indut
Path Finder

Thank you Zuehlaa for your quick reply.
I tried to update the passwd with the command provided above by opening passwd via vi editor and updated the above command but I was unable make use of <>/<> that I have updated in passwd file using vi editor.
I followed another approach by moving passwd file as a passwd.back and then updated as below using splunk docs reference:

Edit the $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows:
[user_info]
USERNAME = admin
PASSWORD =

then I did below verification and I could login successfully.

To verify this I tried to login using
./splunk login auth --admin:<>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi indut,
from the version 7.1.0, at installation you have to define the admin password, it isn't yet "changeme".

When you install Splunk Enterprise, you must create a username and password for your administrator account. If you do not specify any arguments when you install the software, it prompts you to create a username and a password during the installation process.
If you do not create the password during installation, an unusable installation can occur. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting Splunk Enterprise and also do not provide an administrator password in user-seed.conf. In such a case, you must create the administrator credentials manually for the instance to be accessible.
If you upgrade from an older version of Splunk Enterprise, the installation uses the old administrator credentials.
( see https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Secureyouradminaccount )

If you don't remember your admin password, you can reset it following these steps:
Prior 7.1.0

  • Stop splunk service.
  • Move the $SPLUNK_HOME/etc/passwd file to $SPLUNK_HOME/etc/passwd.bak.
  • Start Splunk.
  • After the restart you should be able to login using the default login (admin/changeme).

After 7.1.0

splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password="

Bye.
Giuseppe

indut
Path Finder

Thank you Gcusello for your quick reply.
I tried to update the passwd with the command provided above
splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password="

by opening passwd via vi editor and updated the above command.
Somehow I was unable make use of new <>/<> that I have updated as per the above command launching passwd file vi editor.
I followed another approach that you have suggested above by moving passwd file as a passwd.back and then updated as below using splunk docs reference:

Edit the $SPLUNK_HOME/etc/system/local/user-seed.conf file as follows:
[user_info]
USERNAME = admin
PASSWORD =

then I did below verification and I could login successfully.
./splunk login -auth admin admin/<>

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...