Splunk Enterprise Security

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

verbal_666
Builder

In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command

 

splunk clean all

 

OK. But, doing so, we reset also the passwd file, so from now on we have no more access to Splunk instance, unless we did previously a backup restoring it after the "clean all" did its job. So, considering this aspect, this type of documentation seems very dangerous to me, without specifying this case.

An example: i need to remove completely an instance from a SH Cluster
1) i follow the "clean all" Documentation, and i come in the case of an unuseful intsance
2) i follow, by myself, a "clean kvstore --cluster" or "clean kvstore --all", and the instance was there still running and operative, without the cluster db data registered

So, do a "splunk clean all" should make by itself a backup of auth data for logging into the instance or reassign the original "changeme"?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I would not want to see Splunk commands automatically produce a backup of anything.  If a backup is needed then it should be up the admin to do so.  I think it's a good idea, however, for the documentation about the clean all command to warn admins that they will lose access to Splunk once the command completes.  Submit feedback on the docs page to suggest it.

---
If this reply helps you, Karma would be appreciated.

verbal_666
Builder

I can agree with the automatic backup.

But, IMHO, it's a big trouble for a normal user to loose completely access to his instance, without an explicit  WARNING (which asks to backup his passwd!!! And that after that his instance will be without admin control!!!).

IMO 😕

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...