On all the Universal Forwarders, any user has the ability to access REST API called Splunk ATOM Feed:Splunkd. They can access this on any Universal Forwarder by putting in https:localhost:8089 or loopback 127.0.0.1:8089. I am trying to disable this feature or at the very least change the default password. The research that I’ve done informed me that this is not being used since we are not running a deployment server and we currently don’t have plans to use one in the future. The interface itself seems to be locked down and you can’t make any changes to it just view.
... View more