So you want to allow someone to access your license but don't connect in any other way? To make it airtight you would need something like an API gateway and only certain REST calls (regarding license) to 8089. Things to take in consideration. By default the LM allows any license slave that is able to connect to 8089 to use your license. May not be smart to open this for the world. You can protect this by changing your pool to only allow predefined licenseslaves. These are identified by the machine GUID. You can either collect all the GUIDs beforehand or keep a small pool open for all slaves to connect. After one connect you can then use the GUI to add a new slave to your 'full' pool. ... View more

I think i have seen this while testing our ssl config for HEC. I think your cert chain is incomplete. You have to supply your certs and key in the following way: http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/HowtoprepareyoursignedcertificatesforSplunk and if your key uses a password you can specify that in the [http] stanza with sslPassword See also: https://answers.splunk.com/answers/462131/securing-http-event-collector.html#answer-692893 ... View more

Found your question, had the same. Posted a solution here: answers.splunk.com/answers/462131/securing-http-event-collector.html ... View more

I've just spent some time with the same challenge and found out most of the above might not be the best solution, simply does not work, or is deprecated. By default when you enable HEC and choose enable SSL Splunk uses the same self signed certs as for port 8089. To secure HEC you can change this configurationin server.conf. Of course it might not be the best idea to secure your HEC with the same certs as port 8089 management traffic. We solved it by generating a new certification chain (resulting in a new pem with server cert + key + CA cert) and key and edit the HEC stanza in inputs.conf: [http] disabled = 0 index = main enableSSL = 1 serverCert = <full path to your certificate chain pem file> sslPassword = <password for server key used in chain> Restart splunkd and now your HEC uses this cert. For reference see: http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29 As said Splunk expects a chain of certs and key, see the following examples for how to format this for Splunk and how to generate them self signed: http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/HowtoprepareyoursignedcertificatesforSplunk ... View more

For everyone who (like me) is wondering if and in which release this was fixed: This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log Resolved in Splunk 7.0.5 http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues ... View more

Let me add more context and a suggestion. The page suggested by @mayurr98 does not solve this issue. We have around 90 global shared dashboards. If we use the dynamics list with source=all you get all global dashboards and the ones created in the app. We can refer to this apps' dashboards by using name=, but with this many apps and dashboards that is not really an option. Basically what would work for us is possibility to use something like source=app to only show views/searches created in that app context, the same as in the dashboard and searches overview: all/this app/private. ... View more