Security
Highlighted

Is there a way to copy over existing users and their roles to new a Splunk instance?

Explorer

I am building out a new instance of splunk on new servers. I want to know is their a way to port over the existing user and their roles to the new splunk instance. The new instance is on a Linux server. Is there a way to tar up the existing user/roles on the old instance and port to the new instance.

Tags (2)
0 Karma
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Splunk Employee
Splunk Employee
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Explorer

I am now getting this error:
Can't read key file /mnt/splunk/splunk/etc/auth/server.pem errno=101077092 error:06065064:digital envelope routines:EVPDecryptFinalex:bad decrypt.
Couldn't initialize SSL Context for HTTPClient in ServerConfig
cannot find non-empty stack=enterprise for pool=autogeneratedpool_enterprise, skipping
Where config files do I need to re-enter my password to let Splunk re-encrypt it.

0 Karma
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Splunk Employee
Splunk Employee

what files did you copy over to the new instance?

0 Karma
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Explorer

/etc/app/*/local, /etc/users, /etc/passwd, /etc/system/local/server.conf, etc/auth/splunk.secret.

Should I just copy the server.pem pem file to server.pem_old, restart splunk and let it generate it again?

0 Karma
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Splunk Employee
Splunk Employee

it sounds like your password from the old instance was copied to the new instance in $SPLUNKHOME/etc/system/local/server.conf. You can re-enter the correct password originally set on the new instance and restart splunk or reset back to default by pasting this into $SPLUNKHOME/etc/system/local/server.conf on the new instance:
(paste everything as it appears below)
[sslConfig]
enableSplunkdSSL = true
sslKeysfile = server.pem
sslKeysfilePassword = password
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth

http://docs.splunk.com/Documentation/Splunk/6.2.6/Security/SecureSplunktoSplunkcommunicationsusingth...

restart splunk on the new instance

0 Karma
Highlighted

Re: Is there a way to copy over existing users and their roles to new a Splunk instance?

Splunk Employee
Splunk Employee

If re-entering the correct password, just update sslKeysfilePassword and restart splunk

0 Karma