Running V7.1, but just Installed a new forwarder and received this response: This appears to be your first time running this version of Splunk. An Admin password must be set before installation proceeds. Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password:; Is this a new feature? What password is being requested?
From v7.1, Splunk requires you to set the admin password, because else people tend to stick with changeme
😉
You can put in whatever password you like, but make sure to remember it.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
when do we even use this forwarder admin/pass?
On a forwarder it's rare that I've used it, other than checking the status of the tailingProcessor and such.
https://www.splunk.com/blog/2011/01/02/did-i-miss-christmas-2.html
So its ok leave it to default in that case?
I would not leave it default...it may not be used often but it can be exploited for bad things. For example, somebody connecting to it with the default username/password, pointing it to a rogue deployment server, pushing down scripts to run in context of the splunk user and possibly owning the box.
On the UF's, we set a random password for the admin account and disable the management port.
Have a look at this .conf session from a couple years back:
https://conf.splunk.com/files/2016/recordings/universal-forwarder-security-dont-input-more-than-data...