Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change default "acceptFrom" for all Splunk REST API endpoints?

SplunkPersonal
Path Finder
‎05-11-2018 08:28 AM

In the restmap.conf file, you can specify acceptFrom to limit access to Splunk REST API endpoints to specific IPs. By default (and if unspecified), acceptFrom is * allowing access from all IP addresses. Is there a way to change this default for all Splunk REST API endpoints? I'd like to more tightly control access to these APIs, and defaulting open requires more effort to lockdown and makes it more likely to result in unintentionally leaving an API open. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SplunkPersonal
Path Finder
‎05-12-2018 10:08 AM

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SplunkPersonal
Path Finder
‎05-12-2018 10:08 AM

Credit to xpac for this answer. He suggested trying adding the desired acceptFrom under [default] in restmap.conf. This was undocumented but worked.

So to make all REST API endpoints disabled by default, add the following stanza to restmap.conf:

[default]
acceptFrom=""

To enable specific REST API endpoints, add the acceptFrom underneath that endpoint's stanza in restmap.conf and set it to whatever IP addresses you want to allow (or * for any IP address).

Thanks again xpac!

0 Karma
Reply
Solved! Jump to solution

SplunkPersonal
Path Finder
‎05-12-2018 04:45 AM

Thank you for the suggestion. That was a good idea. I tested it out, but unfortunately it doesn't work for my specific situation. Using acceptFrom in server.conf for [httpServer], I was able to successfully limit what IPs could use the REST API. But when I used restmap.conf to try to override the fail closed policy for a specific API endpoint with acceptFrom=*, it still rejected connections from non-whitelisted IP addresses. I ultimately need something that allows me to override that more restrictive default policy with a less restrictive but endpoint-specific policy.

Thanks for the idea.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-12-2018 05:40 AM

Ah, yeah, that won't possible with that approach.

You could try and put

[global]
acceptFrom = whatever

in the restmap.conf, and just override in your own use case with a more specific stanza. You could also try putting that in a [default] stanza instead of global.
Its not explicitly mentioned in the doc, but sometimes things still work.

If you try this, please let us know if it worked!

0 Karma
Reply
Solved! Jump to solution

SplunkPersonal
Path Finder
‎05-12-2018 10:01 AM

I had previously tried [general], [.], [*], and []. None of those worked. I hadn't thought of global or default, good idea. Global was a no go, but [default] worked. Great call on that and thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...