Getting Data In

How to stop access to Port 8089 in Splunk or change password on Universal Forwarder?

dbatts
Explorer

On all the Universal Forwarders, any user has the ability to access REST API called Splunk ATOM Feed:Splunkd. They can access this on any Universal Forwarder by putting in https:localhost:8089 or loopback 127.0.0.1:8089. I am trying to disable this feature or at the very least change the default password. The research that I’ve done informed me that this is not being used since we are not running a deployment server and we currently don’t have plans to use one in the future. The interface itself seems to be locked down and you can’t make any changes to it just view.

1 Solution

dbatts
Explorer

I contacted Splunk Engineering and the best way is disable port 8089 is

Go to: c:/splunkforwarder/etc/system/local/server.conf
Add: [httpServer]
disableDefaultPort=true

Restart: splunkforwarder in services

View solution in original post

dbatts
Explorer

I contacted Splunk Engineering and the best way is disable port 8089 is

Go to: c:/splunkforwarder/etc/system/local/server.conf
Add: [httpServer]
disableDefaultPort=true

Restart: splunkforwarder in services

esix_splunk
Splunk Employee
Splunk Employee

You can change the password for UF (and HF) from the cli very easily, via :

 ./splunk edit user admin -password newpassword -role admin -auth admin:changeme

This changes the password to 'newpassword'.

You can run this via installation scripts, or post-installation.

As for access to localhost:8089, best practice would be to use a localhost based firewall to restrict access to 8089 from outside of the box. ( Iptables, ipfw etc..)

0 Karma

teunlaan
Contributor

You can change the default password by putting in a different 'passwd' file. But you have to do it @installation time, this van never be pushed with a deployment server.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...