Skip to main content

Securing Splunk Enterprise

Hands-On Lab

 

Photo of Myles Young

Myles Young

BigData Training Architect II in Content

Length

01:30:00

Difficulty

Intermediate

The Splunk web console is a very powerful interface that not only allows you to search and analyze your indexed data, but also to manage and administrate your Splunk installation. Security, however, becomes paramount with such a powerful interface. In this hands-on lab, you are given the opportunity to exercise the following: Override the default web.conf file Enable SSL for the Splunk web console Change the default HTTP/HTTPS port Browse the Splunk web console over HTTPS * Create a user with limited access

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Securing Splunk Enterprise

Introduction

The Splunk web console is a very powerful interface that not only allows you to search and analyze your indexed data, but also to manage and administrate your Splunk installation. Security, however, becomes paramount with such a powerful interface. In this hands-on lab, you are given the opportunity to exercise the following:

  • Override the default web.conf file
  • Enable SSL for the Splunk web console
  • Change the default HTTP/HTTPS port
  • Browse the Splunk web console over HTTPS
  • Create a user with limited access

Instructions

You work as a system administrator in charge of a single-node Splunk installation. You are tasked with securing the Splunk web console via HTTPS and to configure the console to accept connections over the default HTTPS port, 443. Once you have configured the web console to use HTTPS, you can log in to check your work with the following administrator credentials:

  • Username: admin
  • Password: $p|unkEnt3rpr!$e

Once we have a secured web console, use the console to create a new user with the following criteria:

  • Username: cloud_user
  • Full Name: Cloud User
  • Email Address: cloud_user@linuxacademy.com
  • Password: temp_password
  • Timezone: Default
  • Default App: Search
  • Roles: User
  • Require password change on first login: True

Then, log out as the admin user and log in as cloud_user to verify the request to set a new password on first login.

Solution

Begin by logging in to the lab server using the credentials on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Configure HTTPS over port 443 using the web.conf configuration file

  1. Become root:

    sudo su -
  2. Copy the default web.conf from /opt/splunk/etc/system/default/ into /opt/splunk/etc/system/local/:

    cp /opt/splunk/etc/system/default/web.conf /opt/splunk/etc/system/local/.
  3. Change the permissions to enable write permissions on /opt/splunk/etc/system/local/web.conf:

    chmod 600 /opt/splunk/etc/system/local/web.conf
  4. In the /opt/splunk/etc/system/local/web.conf file, change the following lines:

    # port number tag is missing or 0 the server will NOT start an http listener
    # this is the port used for both SSL and non-SSL (we only have 1 port now).
    httpport = 8000
    
    # this determines whether to start SplunkWeb in http or https.
    enableSplunkWebSSL = false

    To:

    # port number tag is missing or 0 the server will NOT start an http listener
    # this is the port used for both SSL and non-SSL (we only have 1 port now).
    httpport = 443
    
    # this determines whether to start SplunkWeb in http or https.
    enableSplunkWebSSL = true
  5. Save and close web.conf.

Restart Splunk

  1. Restart Splunk:

    /opt/splunk/bin/splunk restart

Browse to your Splunk web console over HTTPS port 443

  1. In your browser, go to https://your_public_ip.

    You will likely get a warning about the certificate. This is because the default certificate was created for the site local address of the host and not the public gateway address.

Using the Splunk web console, create a new user

  1. In the web console, go to Settings > Access Controls.

  2. Click + Add new on the Users tile.

  3. Enter for the following for each field:

    • Name: cloud_user
    • Full name: Cloud User
    • Email address: cloud_user@linuxacademy.com
    • Set password: temp_password
    • Confirm password: temp_password
    • Time zone: -- Default System Timezone --
    • Default app: search (Search & Reporting)
    • Assign to roles: user
    • Create a role for this user: false
    • Require password change on first login: true
  4. Click Save.

  5. Log out as the admin user and log in as cloud_user to verify the request for a new password.

    You may set the password if you like to continue logging in and verifying limited permissions.

Conclusion

Congratulations, you've completed this hands-on lab!