Re: admin's beware: 6.5.1 causes clients to direct...

w531t4 · ‎01-26-2017

FYI, discovered that in 6.5.1 Splunk is now placing the burden of checking whether it is up to date on the client rather than the server. So, since most client machines have access to the internet, lots of interesting information gets passed back to Splunk.. including:

Any associated Splunk Answers user/cookie information
All Splunk role's on the server
GUID's of Splunk Licenses on the server

We are observing the request go to https://quickdraw.splunk.com, and we have 'updateCheckerBaseURL = 0' in web.conf. The request to quickdraw.splunk.com only occurs after a successful login.

If anyone knows how to turn off this behavior, it would be greatly appreciated.

ChrisG · ‎01-26-2017

The information that Splunk collects if you opt in to share performance data is documented in Share performance data in the Admin Manual. This topic also explains what data is not collected, which node in your deployment runs the searches to collect the data, and how to opt in or out.

w531t4 · ‎01-26-2017

As stated in my original post, this still occurs while both

Anonymized Usage Data
License Usage Data

are set to disabled.

Additionally, the page says nothing about the inclusion of reporting the names of configured roles to splunk.

ChrisG · ‎01-26-2017

Indeed. We are doing some research here to get the details.

admin's beware: 6.5.1 causes clients to directly reach to splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases