Security

How to Reset the Admin password?

Lionel
Splunk Employee
Splunk Employee

I just realized that I lost the Admin password and I need a way to access the system, with my Admin credentials.

Labels (1)
1 Solution

cbreshears_splu
Splunk Employee
Splunk Employee

How to do this in 7.1 + :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.

Versions prior to 7.1 :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.

View solution in original post

preactivity
Path Finder

We can reset both username(admin) and password to whatever we want.

  1. Changing admin password:
  • Identify /etc folder of your splunk installation and rename passwd file to passwd.back (you can rename to anything we want)
  • In the same etc folder, navigate to /System/local folder and create a file user-seed.conf. This configuration should have the latest password.

    [user_info]
    USERNAME = admin
    PASSWORD = changeme (you can enter whatever you want)

  • restart the splunk. Now you will see a new passwd file will be created with admin as username and encrypted password.
    At this stage you should be able to login to Splunk with UserName as admin and Password as changme

Rename the default username:
-> we can go to etc folder and open passwd file and there we can rename the admin to whatever name we want.

You can refer to below video for the instructions.

https://www.youtube.com/watch?v=pJferqpXcsc&t=16s

bandit
Motivator

Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases.

Rob

0 Karma

mleegoebel
New Member

For CentOS 6.x with splunk forwarder version 7.2.1 I use the following commands to update the passwords of splunk users.

   service splunk stop
   /path/to/splunkforwarder/bin/splunk edit user <username> -password <new_password>
   service splunk start

, service splunk stop
/path/to/splunkforwarder/bin/splunk edit user -password
service splunk start

0 Karma

hythyt
Engager

Thanks "amielke ". , I had a same problem like chippysplunk.
finally , i changed my password in user.seed.conf file as below :

 [user_info]
 USERNAME = admin
 PASSWORD = myPassword
0 Karma

woodcock
Esteemed Legend

And then on reboot, admin gets recreated with the new password?

0 Karma

amielke
Communicator

Hi,

the solution with user-seed.conf was helpful.
I create the config-file in the folder $Splunk_HOME$/etc/system/local, like this:

[user_info]
USERNAME = admin
PASSWORD = myPassword

After a restart, the login was successful with this credintials.

hythyt
Engager

it worked!... for 7.1

0 Karma

amielke
Communicator

Hi,

I've read the steps, but unfortunately I don't want it that way. I renamed the passwd file, rebooted the system. I still can't login with admin and changeme. Splunk does not create a new passwd file for me either. There is also no standard initial login screen with admin and changeme.
Anybody have an idea?

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

amielke, are you using 7.1? If so, read the accepted answer. You will need to set the password in the user-seed.conf file.

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

How to do this in 7.1 + :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.

Versions prior to 7.1 :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.

View solution in original post

robert_b_lay
Engager

Thanks! This was exactly what I needed!

0 Karma

VatsalJagani
Motivator

@cbreshears_splunk - How about search head cluster?

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

You will want to do this on your deployer to sync across your deployment:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Resetapasswordinadistributedenvironment

vinkumar_splunk
Splunk Employee
Splunk Employee

This worked. THanks

0 Karma

season88481
Contributor

Thanks. The file name is passwd not passw BTW.

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

Thanks, changed to reflect correct name.

kinjalmistry
Engager

Thank you. This worked.

0 Karma

rgodishela
Engager

Thank you. This worked.

0 Karma

hythyt
Engager

thanks this worked !....

0 Karma

Swatikeshari
New Member

mv /opt/splunk/etc/passwd /opt/splunk/etc/passwd.bak
mv: cannot move '/opt/splunk/etc/passwd' to '/opt/splunk/etc/passwd.bak': Permission denied

Why I am getting this error?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.