Hi.
It sounds completely inane to me to not have any authentication on the free splunkweb interface.
I use splunk professionally, so naturally i run splunk free on my personal servers, but they are just not secure!
How would one go about securing their splunkweb in the free version?
You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.
not providing a secure login is extortion, not a policy. As a decision maker, I would not recommend this product to anyone (and will do the opposite) just because of that.
@bigwheels16
I totally understand your point, and I can agree that there is a good argument for having some basic authentication even in the free version. However, I would not go so far as to call the lack of such authentication "Extortion".
To me it looks more like @xorred may have misunderstood how the Trial license reverts to Splunk Free after some time, and that he maybe put some sensitive data in his Splunk, which suddenly became generally available. I can understand that one may feel a bit cheated upon in such a scenario, if that was indeed the case.
@kristian.kolb @Damien Dallimore
most of us who use splunk free are devs who use it at work. none of us are going to fork out 5 grand to monitor our own little side projects. for many of us, we make recommendations on what software to use, and for some of us, we are the final decision makers. the more familiar we become with the software, and the better able we are to leverage it, the less likely we will ever want to change. but without basic auth, splunk free is unusable. given all that, giving us a reason to look at other solutions is, frankly, stupid.
Eeh, no. It is not Extorsion - it's called Marketing.
Extorsion would be to remove the authentication feature from existing enterprise licensed installations, and only turn it back on if the customer pays (again).
You may see this function as a good thing - i.e. try-before-you-buy, OR you see this as a dealer handing out heroin to schoolchildren; "The first fix is free!".
You don't have to use Splunk.
Your choice.
You have comprehensive authorization and fine grained accessed controls available if you acquire an Enterprise License.
http://slashdir.com/securing-splunk-free/
I did it like this in apache
<virtualhost *:80>
ServerAdmin evotech@slashdir.com
ServerAlias splunk.slashdir.com
ProxyPass / http://127.0.0.1:8008/
ProxyPassReverse / http://127.0.0.1:8008/
</virtualhost>
<proxy http://127.0.0.1:8008/*>;
Order deny,allow
Deny from all
Allow from all
AuthName "splunk"
AuthType Basic
AuthUserFile /home/evotech/public_www/.htpasswd
Require valid-user
</proxy>
This, combined with a firewall rule that blocks http for everyone but loopback on your splunk port (port 8008 for me) makes sure that i can have a login for splunk free.
sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8008 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8008 -j DROP
Although, i still think its insanely stupid to have to do it this way, it works.
Please include a admin user and password at the very least so people can block their free versions from a potential attacker. Even if it is just my personal server that i use for various owned domains and services i don't want everyone to see all my logs, huge security issue.
instead of iptables, you can use Splunk ipbinding : https://community.splunk.com/t5/Deployment-Architecture/Binding-web-interface-to-a-specific-IP-addre...
Hi,
I am trying to implement your solution on a https version of splunk and an Apache 2.4.
For now I have replaced http instances by https in your code, but the browser page goes timeout.
any ideas about how to achieve this?
The thing is I am concerned about my password being sent unencrypted over the network.
Thanks! 🙂
Just to add another dimension to this, @gkanapathy probably has the best answer with regards how to secure it;
It is also worth considering that since it is free and you cannot secure it in the normal Splunk manner that you perhaps shouldn't Splunk anything sensitive or anything you wouldn't want others to see. It is a free version and as you acknowledge in Damiens answer, there is the paid Enterprise version available (in 500mb/day too) which is what should be deployed in an enterprise or professional setup.
The free version is just great for small home setups where you might want to log small amounts of data for your own quick reference, or perhaps as some have done, just to log your greenhouse temperatures!
Well, its a policy but not necessarily a bad one. Its still up to the user what they choose to store within it. Sadly at the end of the day its just a fact that Splunk is a business and the more functionality a free version has, the less inclined people would be to purchase an enterprise license.
It should still come with a single user sign on to just not leave it open. That is just a bad policy.
You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.
There is no authentication on the Free License.You would need to purchase an Enterprise License to enable authentication.
Im not asking for the full product, just a single login suer, like "admin". It's a pretty basic security issue. Not asking for multi-user auth
Most likely, no. If there is a business case for implementing Splunk, you should go with an enterprise license.
If there isn't, a/o you just want to play around with it for fun/learning/personal use - then Splunk Free is there for you.
As for the amount of features available Splunk Free, I'd say it's not relly crippled in a bad way. Yes, you lose multi-user authentication and distributed searching. But as Drainy says, why should Splunk Inc provide you the full product for free?
/Kristian
I know that, not the question though.
Do people just leave their logs for all to see?