Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the distributed_leases stanza for?

jmcnutt
Engager
‎07-26-2023 11:57 AM

I am working on securing all of the communications to my Splunk Enterprise servers.

Looking at the output of "splunk btool server list" there is a section named "distributed_leases" that has "sslVerifyServerCert=false" set (as given in etc/system/default/server.conf).

On the one hand, it also has "disabled=true" so I should be able to set it however I want and see no effects.

On the other hand, I don't prefer to tweak settings without knowing what they belong to.

Looking at the spec file revealed no more than a trivial answer about securing the connection.  Searching on docs.splunk.com turned up nothing except for the server.conf.spec file that I already had.

Does anyone know what "distributed_leases" is used for?

Labels (1)
Labels
0 Karma
Reply

cklunck
Path Finder
‎07-27-2023 08:03 PM

That stanza was added in v8.2.0, which was about the time federated search was rolled out.

If I had to guess, that stanza could lay the foundation for leasing authentication tokens from a vault (like HashiCorp Vault or Amazon STS), so those leased credentials can be used with distributed/federated search.

Admittedly, this is nothing more than wild speculation on my part. But given that it's not yet documented, it's probably not in use anywhere. And since it's disabled by default, you're probably safe changing the verify clause to true without it impacting anything. However, if it does break something, you didn't hear that from me

Source: completely baseless speculation

Reply

jmcnutt
Engager
‎07-31-2023 08:09 AM

Well, I'll be trying it shortly.  Fortunately, I have a host that doesn't matter TOO much if I break it.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...