Security

How to Reset the Admin password?

Lionel
Splunk Employee
Splunk Employee

I just realized that I lost the Admin password and I need a way to access the system, with my Admin credentials.

Labels (1)
1 Solution

cbreshears_splu
Splunk Employee
Splunk Employee

How to do this in 7.1 + :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.

Versions prior to 7.1 :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.

View solution in original post

bramuno
Explorer

small note to add, since v9.x the password complexity is enforced in the user-seed.conf file as well.  So be sure the new password is at least 8ch long or whatever your complexity requirements are.  If the new etc/passwd file is not created, then check splunkd.log file for the failure reason. 

preactivity
Path Finder

We can reset both username(admin) and password to whatever we want.

  1. Changing admin password:
  • Identify /etc folder of your splunk installation and rename passwd file to passwd.back (you can rename to anything we want)
  • In the same etc folder, navigate to /System/local folder and create a file user-seed.conf. This configuration should have the latest password.

    [user_info]
    USERNAME = admin
    PASSWORD = changeme (you can enter whatever you want)

  • restart the splunk. Now you will see a new passwd file will be created with admin as username and encrypted password.
    At this stage you should be able to login to Splunk with UserName as admin and Password as changme

Rename the default username:
-> we can go to etc folder and open passwd file and there we can rename the admin to whatever name we want.

You can refer to below video for the instructions.

https://www.youtube.com/watch?v=pJferqpXcsc&t=16s

matthewmurphy
Splunk Employee
Splunk Employee

just used this in march2023 and can confirm it works in splunk 9.x

 

cheers

bandit
Motivator

Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases.

Rob

0 Karma

mleegoebel
Engager

For CentOS 6.x with splunk forwarder version 7.2.1 I use the following commands to update the passwords of splunk users.

   service splunk stop
   /path/to/splunkforwarder/bin/splunk edit user <username> -password <new_password>
   service splunk start

, service splunk stop
/path/to/splunkforwarder/bin/splunk edit user -password
service splunk start

hythyt
Engager

Thanks "amielke ". , I had a same problem like chippysplunk.
finally , i changed my password in user.seed.conf file as below :

 [user_info]
 USERNAME = admin
 PASSWORD = myPassword
0 Karma

woodcock
Esteemed Legend

And then on reboot, admin gets recreated with the new password?

0 Karma

amielke
Communicator

Hi,

the solution with user-seed.conf was helpful.
I create the config-file in the folder $Splunk_HOME$/etc/system/local, like this:

[user_info]
USERNAME = admin
PASSWORD = myPassword

After a restart, the login was successful with this credintials.

hythyt
Engager

it worked!... for 7.1

0 Karma

amielke
Communicator

Hi,

I've read the steps, but unfortunately I don't want it that way. I renamed the passwd file, rebooted the system. I still can't login with admin and changeme. Splunk does not create a new passwd file for me either. There is also no standard initial login screen with admin and changeme.
Anybody have an idea?

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

amielke, are you using 7.1? If so, read the accepted answer. You will need to set the password in the user-seed.conf file.

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

How to do this in 7.1 + :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:

[user_info]
PASSWORD = NEW_PASSWORD

In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.

Versions prior to 7.1 :

Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.

qapabli
Engager

robert_b_lay
Engager

Thanks! This was exactly what I needed!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@cbreshears_splunk - How about search head cluster?

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

You will want to do this on your deployer to sync across your deployment:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Resetapasswordinadistributedenvironment

vinkumar_splunk
Splunk Employee
Splunk Employee

This worked. THanks

0 Karma

season88481
Contributor

Thanks. The file name is passwd not passw BTW.

0 Karma

cbreshears_splu
Splunk Employee
Splunk Employee

Thanks, changed to reflect correct name.

kinjalmistry
Explorer

Thank you. This worked.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...