| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Create and manage roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions for SAML tokens
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- Splunk Query For Admin Who Unlocked Account
- Locked/Unlocked
- Is it possible to use splunk to automate account u...
- How to detect domain lockouts and configure an ale...
- How can I autorefresh a real time form and lookup ...
- alert to remotely run a script
- Return a set of events that occur after a specific...
- Regex and Windows XML log events
- Dashboard Query / Search Resource Utilization - Ti...
- Why are the EventType Reference Missing for wineve...
Unlock a user account
If a user locks themself out of their Splunk platform instance account, as an administrator, you can unlock the account.
To change a password for a Splunk instance user account, see Change a password.
Unlocking a user account applies when you use the native authentication scheme only. It does not apply when using other authentication schemes.
Unlock a user account in Splunk Web
If an administrator has locked themself out of their account, they must reset their password by using the "Unlock a administrator from the command line" procedure later in this topic.
- In Splunk Web, select Settings > Users.
- In the Users page, check the Status column to locate the user that is locked.
- In the Action column for that user, select Unlock. The user can log in immediately with the correct credentials.
Unlock a user account from the command line in Splunk Enterprise
A Splunk Enterprise administrator can unlock a user account if they have access to the Splunk CLI and write access to the disk on which the Splunk Enterprise instance runs.
- Open a shell or command prompt.
- Type the following CLI command:
splunk edit user <locked username> -locked-out false -auth admin:<yourpassword>
- Exit the shell or command prompt.
- Try to log into the Splunk platform instance as the locked out user.
Unlock an administrator account from the command line in Splunk Enterprise
If a Splunk platform instance administrator needs to unlock the administrator account on an instance, they must have access to the disk on which the Splunk Enterprise instance runs.
- Open a shell or command prompt.
- Stop The Splunk platform instance:
splunk stop
- Temporarily move the password file to a backup:
mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
- Follow the instructions in Create admin credentials with user-seed.conf to recreate the administrator user.
- Confirm you can log into the instance with the new administrator username and password.
- After you confirm a successful log in to the instance, stop the instance again.
- Using a text editor, open both the backup password file and the new password file that the Splunk platform created when you created the new administrator user earlier in this procedure.
- Copy all of the user information, except for the administrator user, from the backup password file you created earlier to the new password file.
- Save the file and close the text editor.
- Restart the Splunk platform instance.
- Log into the Splunk platform instance.
Unlock user accounts in distributed Splunk platform environments
If a user on a search head cluster is locked out, they are only locked out on the single member of the cluster. Results from other search heads will not show the user as locked out.
If a user or admin is locked out, an admin can:
- Wait for the user's lockout period to expire.
- Unlock the user, using the instructions on this page.
| Password best practices for users | Change a user password |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!