Hey everyone, just wanted to get some help with regards to some issues i am facing with resetting a Server Enterprise Password from Linux, i tried making a change onto the server.conf , from the local directory, specifically ,
Checking kvstore port [8191]: open [223/1590]
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [instrumentation.usage.tlsBestPractices] in /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf, line 451: | append [| rest /services/configs/conf-pythonSslClientConfig | eval ssl
VerifyServerCert (value: if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as python_configuredApp values(sslVerifyServerCert) as python_sslVerifyServerCert by s
plunk_server | eval python_configuredSystem=if(python_configuredApp="system","true","false") | fields python_sslVerifyServerCert, splunk_server, python_configuredSystem]
| append [| rest /services/configs/conf-web/settings | eval mgmtHostPort=if(isnull(mgmtHostPort),"unset",mgmtHostPort), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as fwdrMgmtHostPort_configuredApp values(mgmtHostPor
t) as fwdr_mgmtHostPort by splunk_server | eval fwdrMgmtHostPort_configuredSystem=if(fwdrMgmtHostPort_configuredApp="system","true","false") | fields fwdrMgmtHostPort_sslVerifyServerCert, splunk_server, fwdrMgmtHostPort_configuredSystem
]
| append [| rest /services/configs/conf-server/sslConfig | eval cliVerifyServerName=if(isnull(cliVerifyServerName),"feature",cliVerifyServerName), splunk_server=sha256(splunk_server) | stats values(cliVerifyServerName) as servername_cli
VerifyServerName values(eai:acl.app) as servername_configuredApp by splunk_server | eval cli_configuredSystem=if(cli_configuredApp="system","true","false") | fields cli_sslVerifyServerCert, splunk_server, cli_configuredSystem]
| stats values(*) as * by splunk_server | eval date=now() | makejson output=data | eval _time=date, date=strftime(date,"%Y-%m-%d") | fields data date _time).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-9.0.3-dd0128b1f8cd-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Enter PEM pass phrase:
Done
}
Waiting for web server at http://127.0.0.1:webport to be available.................................................... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://kali::webport
Can someone help me to change the password, concurrently, i have both "Splunk forwarder" installed on the both machine , Windows Host as well as the Linux Machine.. But i will like to ingest data from my Linux Machine , this happened recently until i forgot the Server Enterprise password under the VMNET 1, Linux Machine, ,192.168.0.0/24 :the {http://ocalhost,:web port }, Windows is working fine at the local address 127.0.0.1:webport ..
Thanks for all the help in advance ..
Thanks a lot for your support.
Hi @yashilmohadawoo
as per my understanding , you want to reset your Splunk web login password, if yes, please follow below
rename the file /opt/splunk/etc/passwd to passwd_old
crete the new file user-seed.conf in /opt/splunk/etc/system/local/user-seed.conf
add following contents
[user_info]
USERNAME = admin
PASSWORD = <your cutstom password>
restart the splunk,
now you can able to login on Splunk UI
Sir can you also help me with resetting my password, for the Splunk Server, enterprise through the 127.0.0.1, currently on my windows machine, i have been locked out, i can only log into the splunk instance cloud, but not the server enterprise on the localhost:80....Webport
At the same time i wanted to ask you if in case the server.conf , through the directory, /opt/splunk/etc//local/system .. if currently nothing on the ssl password as well as the passkey, would be an issue as when restarted ?
{
sslConfig]
sslPassword =
[general]
pass4SymmKey =
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free
}
I am not sure if that is correct as i have a long string process, with the algorithm type , can you help me to identify some of which if ever may be causing an issue.. It is outside of my comprehension why is there so many processes under Splunk on my linux ..
┌──(kali㉿kali)-[~]
└─$ ps -eF | grep splunk splunk 1117 1 0 91071 103088 0 00:17 ? 00:00:36 splunkd --under-systemd --systemd-delegate=yes -p 8089 _int
ernal_launch_under_systemd splunk 1313 1117 0 29684 5712 2 00:18 ? 00:00:00 [splunkd pid=1117] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] root 75854 1 0 18793 64132 2 02:38 ? 00:00:01 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py root 80622 1 8 85198 147372 1 02:47 ? 00:00:01 splunkd -p 8080 restart root 80623 80622 0 29684 19284 0 02:47 ? 00:00:00 [splunkd pid=80622] splunkd -p 8080 restart [process-runner]
root 80803 80623 2 20967 41140 0 02:47 ? 00:00:00 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --
storageEngine=wiredTiger --wiredTigerCacheSizeGB=0.256000 --port=8191 --timeStampFormat=iso8601-utc --oplogSize=200 --keyFile=/
opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --setParameter=oplogFetcherSteady
StateMaxFetcherRestarts=0 --replSet=EA7B7BD0-0109-429F-A25E-68B3C7528516 --bind_ip=0.0.0.0 --sslMode=requireSSL --sslAllowInval
idHostnames --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --tlsDisabledProtocols=noTLS1_0,noTLS1_1 --sslCipherConfig=ECDHE-EC
DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128
-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 --nounixsocket --noscripting
kali 80901 80726 0 1583 2076 2 02:47 pts/5 00:00:00 grep --color=auto splunk
Can you help me to eliminate any of these many processes, cause i see a lot of the pythonpath, initiating the instance_id_modular_input.py, is this normal ..?
Run the following command :
From the kali machine :
dir : "/opt/splunk/bin/"
$ ./splunk stop
$ ./splunk start
Here i am being asked the a PEM Passphrase, can this be anything ?