- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Help To recover Pass4SymmKey
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi , i have a indexer cluster of 3 indexers and 2 search heads are in a cluster and having the pass4symmkey. Which authenticate the connections between slaves and masters. Now my task is to add more indexers in a cluster so i need the pass4symmkey inorder to do that. Currently i wont have the password stored anywhere. How can i change the pass4symmkey value how can i recover the password ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy the splunk.secret file from $SPLUNK_HOME/etc/auth/ on your cluster master node and place it in the same location on your Monitoring Console node.
Once copied, start your instance.
Take the hashed Pass4SymmKey value from the existing cluster master.
Create a Splunk app ci1_unhash_app with an passwords.conf file containing a credential stanza with your reclaimed Pass4SymmKey.
Add the following to $SPLUNK_HOME/etc/apps/ci1_unhash_app/local/passwords.conf, for example:
[credential::test:]
password = $pass4symmkeyvalue
Use the following command to retrieve your credentials.
$SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test
You can now use that value to join your new Monitoring console node to your cluster.
The command above may not work in it's current form. Make sure you check your app permissions or adjust the command to match the namespace of your app.
Once successfully joined to the cluster with a fully configure monitoring console, make sure that you delete the ci1_unhash_app.
Configure the Monitoring Console
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy the splunk.secret file from $SPLUNK_HOME/etc/auth/ on your cluster master node and place it in the same location on your Monitoring Console node.
Once copied, start your instance.
Take the hashed Pass4SymmKey value from the existing cluster master.
Create a Splunk app ci1_unhash_app with an passwords.conf file containing a credential stanza with your reclaimed Pass4SymmKey.
Add the following to $SPLUNK_HOME/etc/apps/ci1_unhash_app/local/passwords.conf, for example:
[credential::test:]
password = $pass4symmkeyvalue
Use the following command to retrieve your credentials.
$SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test
You can now use that value to join your new Monitoring console node to your cluster.
The command above may not work in it's current form. Make sure you check your app permissions or adjust the command to match the namespace of your app.
Once successfully joined to the cluster with a fully configure monitoring console, make sure that you delete the ci1_unhash_app.
Configure the Monitoring Console
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but my indexer cluster master node and monitoring console node is on the same server , still do i need to copy the splunk.secret file ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whats this following command SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test , will you please tell in the format like ./ which i need to execute in bin ?
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
