It sounds completely inane to me to not have any authentication on the free splunkweb interface.
I use splunk professionally, so naturally i run splunk free on my personal servers, but they are just not secure!
How would one go about securing their splunkweb in the free version?
There is no authentication on the Free License.You would need to purchase an Enterprise License to enable authentication.
Most likely, no. If there is a business case for implementing Splunk, you should go with an enterprise license.
If there isn't, a/o you just want to play around with it for fun/learning/personal use - then Splunk Free is there for you.
As for the amount of features available Splunk Free, I'd say it's not relly crippled in a bad way. Yes, you lose multi-user authentication and distributed searching. But as Drainy says, why should Splunk Inc provide you the full product for free?
Im not asking for the full product, just a single login suer, like "admin". It's a pretty basic security issue. Not asking for multi-user auth
You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.
Just to add another dimension to this, @gkanapathy probably has the best answer with regards how to secure it;
It is also worth considering that since it is free and you cannot secure it in the normal Splunk manner that you perhaps shouldn't Splunk anything sensitive or anything you wouldn't want others to see. It is a free version and as you acknowledge in Damiens answer, there is the paid Enterprise version available (in 500mb/day too) which is what should be deployed in an enterprise or professional setup.
The free version is just great for small home setups where you might want to log small amounts of data for your own quick reference, or perhaps as some have done, just to log your greenhouse temperatures!
Well, its a policy but not necessarily a bad one. Its still up to the user what they choose to store within it. Sadly at the end of the day its just a fact that Splunk is a business and the more functionality a free version has, the less inclined people would be to purchase an enterprise license.
I did it like this in apache
<virtualhost *:80> ServerAdmin firstname.lastname@example.org ServerAlias splunk.slashdir.com ProxyPass / http://127.0.0.1:8008/ ProxyPassReverse / http://127.0.0.1:8008/ </virtualhost> <proxy http://127.0.0.1:8008/*>; Order deny,allow Deny from all Allow from all AuthName "splunk" AuthType Basic AuthUserFile /home/evotech/public_www/.htpasswd Require valid-user </proxy>
This, combined with a firewall rule that blocks http for everyone but loopback on your splunk port (port 8008 for me) makes sure that i can have a login for splunk free.
sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8008 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 8008 -j DROP
Although, i still think its insanely stupid to have to do it this way, it works.
Please include a admin user and password at the very least so people can block their free versions from a potential attacker. Even if it is just my personal server that i use for various owned domains and services i don't want everyone to see all my logs, huge security issue.