Security

New Install - Default Credentials Invalid

Engager

I installed Splunk Enterprise 6.5.3 on a new WS2012R2 Core VM. I completed the install, changed the services to use a gMSA account and setup relevant groups and GPO settings. I set the services to logon with the gMSA account and started Splunkd and opened http://splunk:8000.

After getting to the webpage, I attempted to login with 'admin' and 'changeme'. The login attempt failed and I tried it a few more times, to make sure it wasn't me. After that I tried IE, thinking that there could be an issue with Firefox, but the login failed there as well. I did some searching on the Internet and noted mentions of the /etc/passwd file within $splunk_home. I went to the /etc folder on my system and found that it does not have the passwd file.

Any ideas as to what the issue is? Is there a way I can change the password though the CLI? I ran splunk edit user admin -password changeme -role admin -auth admin:password and the command is sitting there without completing or erroring out.

0 Karma

Esteemed Legend

To reset the admin password you will need to have access to the file system. Rename/move the $SPLUNK_HOME/etc/passwd and restart splunk and the passwd file will be recreated with one login as admin and PW changeme.

0 Karma

Engager

The passwd file did not exist. I'm thinking something went wrong with the install, as a new install worked fine.

Influencer

Did you manually check the splunkd.log for any clues ?

0 Karma

New Member

I just installed and instance of Splunk on Windows and the default ID and PSSWD says invalid even after I rename the passwd file and restart splunk. When i start splunk it is showing the user id and password that i used to download the software.

0 Karma