Security

Having trouble resetting a server enterprise password from linux?

yashilmohadawoo
Observer

Hey everyone, just wanted to get some help with regards to some issues i am facing with resetting a Server Enterprise Password from Linux,  i tried making a change onto the server.conf , from the local directory, specifically , 

"/opt/splunk/etc/system/local" ..server.conf
 
Here is the current directory: 
┌──(root㉿kali)-[/opt/splunk/etc/system/local]
└─# ls
deploymentclient.conf   migration.conf   README   server.conf web.conf
 
{
[sslConfig]
sslPassword =
[general]
pass4SymmKey =
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free
 
 
From the above, i have also tried removing the SHA 256 algorithm Hash key under the,  "pass4SymmKey =", as well as "sslPassword ="m but after restarting the server, these fields which i omitted, seem to be blank by now .. 
 
 
As per some help, i was able to remove and also delete the, the server.conf, and prior to that i stopped the server with the following command  ...
 
                 $ ./splunk stop
 
Then after, this i tried restarting the server with the following command , but the issue here it is  not prompting me to create a new credentials, as per this page below :
 
 
┌──(root㉿kali)-[/opt/splunk/bin]
 
 
└─# ./splunk start
Splunk> All batbelt. No tights.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8080]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done

Checking kvstore port [8191]: open [223/1590]
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [instrumentation.usage.tlsBestPractices] in /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf, line 451: | append [| rest /services/configs/conf-pythonSslClientConfig | eval ssl
VerifyServerCert (value: if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as python_configuredApp values(sslVerifyServerCert) as python_sslVerifyServerCert by s
plunk_server | eval python_configuredSystem=if(python_configuredApp="system","true","false") | fields python_sslVerifyServerCert, splunk_server, python_configuredSystem]
| append [| rest /services/configs/conf-web/settings | eval mgmtHostPort=if(isnull(mgmtHostPort),"unset",mgmtHostPort), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as fwdrMgmtHostPort_configuredApp values(mgmtHostPor
t) as fwdr_mgmtHostPort by splunk_server | eval fwdrMgmtHostPort_configuredSystem=if(fwdrMgmtHostPort_configuredApp="system","true","false") | fields fwdrMgmtHostPort_sslVerifyServerCert, splunk_server, fwdrMgmtHostPort_configuredSystem
]
| append [| rest /services/configs/conf-server/sslConfig | eval cliVerifyServerName=if(isnull(cliVerifyServerName),"feature",cliVerifyServerName), splunk_server=sha256(splunk_server) | stats values(cliVerifyServerName) as servername_cli
VerifyServerName values(eai:acl.app) as servername_configuredApp by splunk_server | eval cli_configuredSystem=if(cli_configuredApp="system","true","false") | fields cli_sslVerifyServerCert, splunk_server, cli_configuredSystem]
| stats values(*) as * by splunk_server | eval date=now() | makejson output=data | eval _time=date, date=strftime(date,"%Y-%m-%d") | fields data date _time).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-9.0.3-dd0128b1f8cd-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Enter PEM pass phrase:
Done

}

Waiting for web server at http://127.0.0.1:webport to be available.................................................... Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://kali::webport

 

Can someone help me to change the password, concurrently, i have both "Splunk forwarder" installed on the both machine , Windows Host as well as the  Linux Machine.. But i will like to ingest data from my Linux Machine , this happened recently until i forgot the Server Enterprise password under the VMNET 1, Linux Machine,  ,192.168.0.0/24 :the {http://ocalhost,:web port }, Windows is working fine at the local address 127.0.0.1:webport .. 

Thanks for all the help in advance .. 

 

 

Labels (2)
0 Karma

yashilmohadawoo
Observer

Thanks a lot for your support.

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @yashilmohadawoo 

as per my understanding , you want to reset your Splunk web login password, if yes, please follow below

rename the file /opt/splunk/etc/passwd to passwd_old
crete the new file user-seed.conf in /opt/splunk/etc/system/local/user-seed.conf
add following contents
[user_info]
USERNAME = admin
PASSWORD = <your cutstom password>

restart the splunk,

now you can able to login on Splunk UI

0 Karma

yashilmohadawoo
Observer

Sir can you also help me with resetting my password, for the Splunk Server, enterprise through the  127.0.0.1, currently on my windows machine, i have been locked out, i can only log into the splunk instance cloud, but not the server enterprise on the localhost:80....Webport

At the same time i wanted to ask you if in case the server.conf , through the directory, /opt/splunk/etc//local/system ..  if currently nothing  on the ssl password as well as the  passkey, would be an issue as when restarted  ? 

{

sslConfig]
sslPassword =
[general]
pass4SymmKey =
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free

}

I am not sure if that is correct as i have a long string process, with the algorithm type , can you help me to identify some of which if ever may be causing an issue.. It is outside of my comprehension why is there so many processes  under Splunk on my linux .. 

┌──(kali㉿kali)-[~]
└─$ ps -eF | grep splunk splunk 1117 1 0 91071 103088 0 00:17 ? 00:00:36 splunkd --under-systemd --systemd-delegate=yes -p 8089 _int
ernal_launch_under_systemd splunk 1313 1117 0 29684 5712 2 00:18 ? 00:00:00 [splunkd pid=1117] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] root 75854 1 0 18793 64132 2 02:38 ? 00:00:01 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py root 80622 1 8 85198 147372 1 02:47 ? 00:00:01 splunkd -p 8080 restart root 80623 80622 0 29684 19284 0 02:47 ? 00:00:00 [splunkd pid=80622] splunkd -p 8080 restart [process-runner]
root 80803 80623 2 20967 41140 0 02:47 ? 00:00:00 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --
storageEngine=wiredTiger --wiredTigerCacheSizeGB=0.256000 --port=8191 --timeStampFormat=iso8601-utc --oplogSize=200 --keyFile=/
opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --setParameter=oplogFetcherSteady
StateMaxFetcherRestarts=0 --replSet=EA7B7BD0-0109-429F-A25E-68B3C7528516 --bind_ip=0.0.0.0 --sslMode=requireSSL --sslAllowInval
idHostnames --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --tlsDisabledProtocols=noTLS1_0,noTLS1_1 --sslCipherConfig=ECDHE-EC
DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128
-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 --nounixsocket --noscripting
kali 80901 80726 0 1583 2076 2 02:47 pts/5 00:00:00 grep --color=auto splunk

 

Can you help me to eliminate any of these many processes, cause i see a lot of the pythonpath, initiating the instance_id_modular_input.py, is this normal ..? 

 

Run the following command :

From the kali machine :

dir : "/opt/splunk/bin/"

$ ./splunk stop 

$ ./splunk start 

 

Here i am being asked the a PEM Passphrase, can this be anything  ?

 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...