All Apps and Add-ons

Trying to update the Splunk Add-on for Unix and Linux from 5.2.1 to 5.2.3, do you need the original password?

hunt44de
New Member

I'm trying to update Splunk_TA_NIX from Version: 5.2.1 to version 5.2.3, but the admin/passwd doesn't seem to be working. The admin passwd has been changed since the app was originally installed and I currently don't have access to the old passwd. I've tried the current admin:psswd, my splunk acct. credentials, and the default admin:changeme "no dice". I was wondering if you need the original password, and if so, is there a way to force the Splunk app to use a new admin password if changed (if possible)? Thanks

I'm also assuming the admin:passwd its looking for is same one we use to log in to Splunk Enterprise.

0 Karma
1 Solution

hmclaren_splunk
Splunk Employee
Splunk Employee

Answer by @Lionel:
To reset the admin password you will need to have access to the file system: - move the $SPLUNK_HOME/etc/passwd file to passwd.bak - restart splunk. After the restart you should be able to login using the default login (admin/changeme).

If you created other user accounts, copy those entries from the backup file into the new passwd file and restart splunk.

It is already answered:
https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

View solution in original post

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Answer by @Lionel:
To reset the admin password you will need to have access to the file system: - move the $SPLUNK_HOME/etc/passwd file to passwd.bak - restart splunk. After the restart you should be able to login using the default login (admin/changeme).

If you created other user accounts, copy those entries from the backup file into the new passwd file and restart splunk.

It is already answered:
https://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password.html

0 Karma

hunt44de
New Member

Thanks I understand that. I was just curious what username:passwd the app is looking for... I was trying to avoid resetting passwords if possible.

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Ah okay, I misunderstood.
At which point is the app looking for credentials? During the install via Splunk Web or via the CLI install (directly or via a Deployment Server?)?
Are you receiving an error message? If so, in which log file and what is the message?

0 Karma

hunt44de
New Member

No worries. Under "manage app" when I click on the app upgrade it asks for username/passwd I was updating via Web Console. Error via web console is invalid username/passwd.

0 Karma

hunt44de
New Member

Crazy thing is I have current admin/passwd but it sucks if you need the admin/passwd that was used when the app was originally installed and not the current updated one. Thanks for your response

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

I would be very surprised if that was the case as the TA shouldn't store any credentials as far as I know.
Check in SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/* and see if the are any hard coded password hashes.

Also check SPLUNK_HOME/etc/system/local/* for the same.

0 Karma

hunt44de
New Member

I was logged in both ways as myself and I have admin priv and also as the admin user and I'm getting the invalid username/passwd under both. I tried it both ways because I've seen tools that want admin user even if you are indeed an admin. I'll pick this up in the am thanks so much for the insight ( check first thing in the morning).

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Good luck!

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Have you checked the internal log files for Splunk to see if the is further information?
SPLUNK_HOME/var/log/splunk/splunkd.log

Or search in Splunk: index=_internal error OR warn

I haven't encountered that issue before. Are you signed in as a user with 'admin' as their role?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...