Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create a password file to distribute for my hfw?

a212830
Champion
‎10-11-2016 03:32 AM

Hi,

How can I create a password file that can be automated to share amongst my heavy forwarders?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-14-2016 03:33 PM

Ah, one of my favorite things to do.

$SPLUNK_HOME/etc/system/default/user-seed.conf can be loaded with a default username and password so the normal admin account is created with a username/password you define in that user-seed.conf file. You'll see splunk deletes that clear-text file after start up. Therefore, you can hardcode those values in that file at install.

Alternatively, you can create a deployement app that contains a new passwd file and a scripted input to backup the old passwd file and put the new on in place. Scripted input means the output will be collected by splunk (define that sourcetype!). Keep in mind that the scripted input could be configured to run at splunk start OR on a schedule. Either way you'll want to take into account a restart after the file is in place AND removing the app (remove the server from the server class) OR don't remove the app to make sure the password file stays what you want it to be. Of course, for this, you'll also need the splunk.secret file to be distributed just the same so as to ensure the hash in the passwd file is honored.

A different option that might get to your same solution is to have a scripted input that disables the passwd file (by creating an empty one) and have a global app that distributes the ldap auth config. The result is that the only way to log in to the forwarder (or any instance really) is with a valid credential WHICH can therefore be audited (unlike a local account).

Bounce back with questions and good luck!

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-19-2016 05:07 AM

@212830 - any questions or comments thus far? Looking to get you an acceptable answer.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎10-11-2016 06:14 AM

Hi a212830,

To deploy secure passwords across multiple servers, please refer to this topic in Splunk docs:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Deploysecurepasswordsacrossmultipleserver...

Hope it helps. Thanks!
Hunter

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...