Getting Data In

What is the admin account for on a Universal Forwarder?

Glasses
Builder

I have UFs on some "sensitive" servers and the owners - that did the install are questioning the purpose of the Admin account.
I have just accepted the fact that all splunk nodes require credentials and an account.
Is there an official document or explanation for the reason a UF needs one?

These are windows servers.
Thank you.

0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

View solution in original post

guilmxm
SplunkTrust
SplunkTrust

There are different contexts where CLI or REST access can be used or useful on a Splunk UF, you may want to refer to:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/CLIadmincommands

On a UF specially, for trouble shooting you may run some commands like listing the file monitors, investigating the tailing processor, etc

Example:

splunk _internal call /admin/inputstatus/TailingProcessor:FileStatus

This requires an admin access on the UF.

That being said, in real life in 99% of the cases you never never need to use a CLI or REST access on the UF, as a good practice we generally globally deactivate splunkd REST API on all standard UFs (not HFs !) via the deployment of a simple base config app, which is what I do and recommend to customers.
Whenever you would such thing, you still can re-activate it, and again in most of the cases you don't need it because you would use for bad reasons most likely.

Deactivating via server.conf

[httpServer]
disableDefaultPort = true

So good practice, at installation generate a random complex password for the admin account, and deactivate REST via the deployment of a base config app.

Guilhem

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...