Securing Splunk Enterprise
BigData Training Architect II in Content
The Splunk web console is a very powerful interface that not only allows you to search and analyze your indexed data, but also to manage and administrate your Splunk installation. Security, however, becomes paramount with such a powerful interface. In this hands-on lab, you are given the opportunity to exercise the following: Override the default
web.conf file Enable SSL for the Splunk web console Change the default HTTP/HTTPS port Browse the Splunk web console over HTTPS * Create a user with limited access
Securing Splunk Enterprise
The Splunk web console is a very powerful interface that not only allows you to search and analyze your indexed data, but also to manage and administrate your Splunk installation. Security, however, becomes paramount with such a powerful interface. In this hands-on lab, you are given the opportunity to exercise the following:
- Override the default
- Enable SSL for the Splunk web console
- Change the default HTTP/HTTPS port
- Browse the Splunk web console over HTTPS
- Create a user with limited access
You work as a system administrator in charge of a single-node Splunk installation. You are tasked with securing the Splunk web console via HTTPS and to configure the console to accept connections over the default HTTPS port, 443. Once you have configured the web console to use HTTPS, you can log in to check your work with the following administrator credentials:
Once we have a secured web console, use the console to create a new user with the following criteria:
- Full Name: Cloud User
- Email Address: email@example.com
- Timezone: Default
- Default App: Search
- Roles: User
- Require password change on first login: True
Then, log out as the admin user and log in as
cloud_user to verify the request to set a new password on first login.
Begin by logging in to the lab server using the credentials on the hands-on lab page:
Configure HTTPS over port 443 using the
web.conf configuration file
sudo su -
Copy the default
cp /opt/splunk/etc/system/default/web.conf /opt/splunk/etc/system/local/.
Change the permissions to enable write permissions on
chmod 600 /opt/splunk/etc/system/local/web.conf
/opt/splunk/etc/system/local/web.conffile, change the following lines:
# port number tag is missing or 0 the server will NOT start an http listener # this is the port used for both SSL and non-SSL (we only have 1 port now). httpport = 8000 # this determines whether to start SplunkWeb in http or https. enableSplunkWebSSL = false
# port number tag is missing or 0 the server will NOT start an http listener # this is the port used for both SSL and non-SSL (we only have 1 port now). httpport = 443 # this determines whether to start SplunkWeb in http or https. enableSplunkWebSSL = true
Save and close
Browse to your Splunk web console over HTTPS port 443
In your browser, go to
You will likely get a warning about the certificate. This is because the default certificate was created for the site local address of the host and not the public gateway address.
Using the Splunk web console, create a new user
In the web console, go to Settings > Access Controls.
Click + Add new on the Users tile.
Enter for the following for each field:
- Full name: Cloud User
- Email address: firstname.lastname@example.org
- Set password:
- Confirm password:
- Time zone: -- Default System Timezone --
- Default app: search (Search & Reporting)
- Assign to roles: user
- Create a role for this user: false
- Require password change on first login: true
Log out as the
adminuser and log in as
cloud_userto verify the request for a new password.
You may set the password if you like to continue logging in and verifying limited permissions.
Congratulations, you've completed this hands-on lab!