Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I want to update the splunk.secret on my existing Splunk servers. Gotchas?

the_wolverine
Champion
‎02-17-2014 10:51 AM

For management purposes, I would like the splunk.secret on all my servers to match but its after I have started up Splunk for the first time already. Can I do this without breaking my setup?

The documentation referenced only mentions setting the splunk.secret BEFORE FIRST START. What about after first start?

1) Is there a documented process on how to do this?
2) What should I be aware of?
3) Anyone else done this?

Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎02-17-2014 12:36 PM

the procedure for distributing secure passwords is documented here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Deploysecurepasswordsacrossmultipleserver...

a good resource for "what gotchas are there?" info in general is this community-authored topic on the Community Wiki: http://wiki.splunk.com/Things_I_wish_I_knew_then

here's a bullet item from that topic about splunk.secret:

"Thinking about search head pooling or clustering? The splunk.secret file is important, because it helps set the encryption key used for things like SSL key files, LDAP service accounts, and so on. For systems that will need to share identical copies of files containing splunk encrypted password data, you may want to copy splunk.secret to such a system before the first time you start Splunk on it."

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-20-2014 12:42 PM

It doesn't appear that Splunk wants to provide the solution for syncing splunk.secret after first start. I'm starting my investigation and will post my findings here. Related question:

http://answers.splunk.com/answers/123896/need-a-list-of-all-the-locations-of-hashed-password-based-o...

0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎05-09-2016 07:06 PM

Well from first hand experience it breaks a Search Head.

DO NOT TRY THIS AT HOME!!!

We moved /opt/splunk/etc/passwd out of the way and Splunk recreated that on restart.

Cleartexted any passwords found in conf files with the grep command here
https://answers.splunk.com/answers/123896/need-a-list-of-all-the-locations-of-hashed-password-based-...

However the Search head keeps returning a 500 error.

0 Karma
Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎02-17-2014 12:36 PM

the procedure for distributing secure passwords is documented here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Deploysecurepasswordsacrossmultipleserver...

a good resource for "what gotchas are there?" info in general is this community-authored topic on the Community Wiki: http://wiki.splunk.com/Things_I_wish_I_knew_then

here's a bullet item from that topic about splunk.secret:

"Thinking about search head pooling or clustering? The splunk.secret file is important, because it helps set the encryption key used for things like SSL key files, LDAP service accounts, and so on. For systems that will need to share identical copies of files containing splunk encrypted password data, you may want to copy splunk.secret to such a system before the first time you start Splunk on it."

Reply
Solved! Jump to solution

the_wolverine
Champion
‎02-17-2014 02:17 PM

I have an existing implementation where I want to match up splunk.secret. I have modified my question to reflect that.

"Thinking about search head pooling or clustering? The splunk.secret file is important, because it helps set the encryption key used for things like SSL key files, LDAP service accounts, and so on. For systems that will need to share identical copies of files containing splunk encrypted password data, you may want to copy splunk.secret to such a system before the first time you start Splunk on it."

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2017 09:47 AM

@the_wolverine How did this turn out? What did you learn?

0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎02-17-2014 01:08 PM

Also be aware that the splunk.secret is used when storing the credentials for some inputs (like modular inputs).

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top