Security
Highlighted

Securing Splunkweb (Free version)

Path Finder

Hi.

It sounds completely inane to me to not have any authentication on the free splunkweb interface.

I use splunk professionally, so naturally i run splunk free on my personal servers, but they are just not secure!

How would one go about securing their splunkweb in the free version?

Tags (4)
Highlighted

Re: Securing Splunkweb (Free version)

Ultra Champion

There is no authentication on the Free License.You would need to purchase an Enterprise License to enable authentication.

Highlighted

Re: Securing Splunkweb (Free version)

Path Finder

I know that, not the question though.

Do people just leave their logs for all to see?

Highlighted

Re: Securing Splunkweb (Free version)

Ultra Champion

Most likely, no. If there is a business case for implementing Splunk, you should go with an enterprise license.

If there isn't, a/o you just want to play around with it for fun/learning/personal use - then Splunk Free is there for you.

As for the amount of features available Splunk Free, I'd say it's not relly crippled in a bad way. Yes, you lose multi-user authentication and distributed searching. But as Drainy says, why should Splunk Inc provide you the full product for free?

/Kristian

Highlighted

Re: Securing Splunkweb (Free version)

Path Finder

Im not asking for the full product, just a single login suer, like "admin". It's a pretty basic security issue. Not asking for multi-user auth

Highlighted

Re: Securing Splunkweb (Free version)

Splunk Employee
Splunk Employee

You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.

View solution in original post

Highlighted

Re: Securing Splunkweb (Free version)

Champion

Just to add another dimension to this, @gkanapathy probably has the best answer with regards how to secure it;

It is also worth considering that since it is free and you cannot secure it in the normal Splunk manner that you perhaps shouldn't Splunk anything sensitive or anything you wouldn't want others to see. It is a free version and as you acknowledge in Damiens answer, there is the paid Enterprise version available (in 500mb/day too) which is what should be deployed in an enterprise or professional setup.

The free version is just great for small home setups where you might want to log small amounts of data for your own quick reference, or perhaps as some have done, just to log your greenhouse temperatures!

Highlighted

Re: Securing Splunkweb (Free version)

Path Finder

It should still come with a single user sign on to just not leave it open. That is just a bad policy.

Highlighted

Re: Securing Splunkweb (Free version)

Champion

Well, its a policy but not necessarily a bad one. Its still up to the user what they choose to store within it. Sadly at the end of the day its just a fact that Splunk is a business and the more functionality a free version has, the less inclined people would be to purchase an enterprise license.

Highlighted

Re: Securing Splunkweb (Free version)

Path Finder

http://slashdir.com/securing-splunk-free/

I did it like this in apache

<virtualhost *:80>
    ServerAdmin evotech@slashdir.com
    ServerAlias splunk.slashdir.com
    ProxyPass / http://127.0.0.1:8008/
    ProxyPassReverse / http://127.0.0.1:8008/
</virtualhost>

<proxy http://127.0.0.1:8008/*>;
    Order deny,allow
    Deny from all
    Allow from all
    AuthName "splunk"
    AuthType Basic
    AuthUserFile /home/evotech/public_www/.htpasswd
    Require valid-user
</proxy>

This, combined with a firewall rule that blocks http for everyone but loopback on your splunk port (port 8008 for me) makes sure that i can have a login for splunk free.

sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8008 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8008 -j DROP

Although, i still think its insanely stupid to have to do it this way, it works.

Please include a admin user and password at the very least so people can block their free versions from a potential attacker. Even if it is just my personal server that i use for various owned domains and services i don't want everyone to see all my logs, huge security issue.