| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Create and manage roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions for SAML tokens
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- CBS Token authentication failed. Add-on for Micros...
- Invalid token in Splunk app for SOAR, yet tokens a...
- Gettting 404 error while trying to create an acces...
- Authorization Token Not Work
- How to create authentication token and then use it...
- How do I do simple token based authentication with...
- Authenticated API call using webport redirects (30...
- Receiving HTTP 303 When Using Token-Based Authenti...
- How to set token from search and then conditionall...
- For Splunk API requests, are authentication token...
Use authentication tokens
If you have been assigned an authentication token, you can access a Splunk platform instance using Representational State Transfer (REST) calls or the CLI. These methods let you access the instance and make requests without having to authenticate with credentials.
You must possess a valid token that has been given to you from an administrator who maintains the instance. The token cannot be expired, as expired tokens are unusable. Administrators can delay when the validity of a token starts, meaning that the token cannot be used until its validity begins.
You cannot use a token on any instance other than the instance where the administrator granted you the token. For example, if you have a token for server1, and need access to server2, you must ask the administrator for server2 to give you access to a token there. There is an exception on search head clusters: if an administrator grants you token-based access to a search head cluster, that token is valid for all search head cluster nodes.
You lose access to the instance through the token if any of the following occurs:
- The token expires. You can ask the administrator to issue a new token to regain access.
- The administrator disables the token. The administrator must reenable the token before you can use it again.
- The administrator deletes the token. You can ask the administrator to issue a new token to regain access.
- The administrator disables token authentication, either temporarily or permanently.
- The administrator deletes your account.
- You lock out or disable your Active Directory account on a Splunk platform instance that uses LDAP to connect to Active Directory.
Confirm that the administrator sends you the full token when they assign it to you. You must have the full token to authenticate with it. If you do not, the Splunk platform rejects those authentication requests as if you had entered incorrect credentials.
Use an authentication token to make REST calls to an instance
After you receive a valid token for the instance you want to use, you can use the token to make calls to REST endpoints on the instance. Your access is the same as what you have if you logged in with credentials.
The type of web request you make depends on the endpoint you want to access and what you want to do with the endpoint. For more information on REST endpoints and how to use them, see the REST API User Manual and the REST API Reference Manual for information on REST and using REST endpoints.
Understand the ramifications of making REST calls using tokens. Tokens are only a method of authentication, not a safeguard against making potentially dangerous changes to a Splunk platform instance. If you have questions or concerns about using tokens, contact your administrator.
Currently, tokens are available only for making REST calls or using the CLI to access a Splunk Enterprise instance. You cannot use tokens to authenticate using Splunk Web.
Use your REST web client or command line tool to make an HTTP GET, POST, or DELETE request on an endpoint. When you make the request, include the management port of the instance:
curl -X GET -H "Authorization: Bearer <token>" https://<instance host name or IP address>:<management port>/services/authentication/users/<user>
If the operation succeeds, the command prints a response in XML that contains the information that the instance generated upon accessing the endpoint.
An authentication failure appears as follows:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">call not properly authenticated</msg>
</messages>
</response>
Insufficient permissions to access the endpoint appear as follows:
<response>
<messages>
<msg type="ERROR">You (user=<user>) do not have permission to perform this operation (requires capability: <capability> [or <capability>...]).</msg>
</messages>
</response>
Use the CLI to access a Splunk Enterprise instance with a token
You can run commands with the Splunk CLI and use a token as authentication rather than standard credentials. You can do this with any command that normally requires authentication.
Use the -token CLI argument to supply the token:
/opt/splunk/bin/splunk search '*' -token <token>
Examples
The following examples assume that you have properly configured SSL certificates on your Splunk platform instance. If you have not, then the commands will not work. As a temporary measure to test connectivity to SSL, you can use the -k argument for curl to bypass certificate review. Do not do this long term, as certificates are a key part of maintaining security in SSL.
Examples for accessing REST endpoints using tokens
The following example accesses the /apps/local endpoint to retrieve a list of local Splunk applications on the instance:
curl -H "Authorization: Bearer eyJraWQ..." -X GET https://10.224.100.135:34740/services/apps/local
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="https://www.w3.org/2005/Atom" xmlns:s="https://dev.splunk.com/ns/rest" xmlns:opensearch="https://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://10.224.100.135:34740/services/apps/local</id>
<updated>2019-02-13T23:05:24+00:00</updated>
<generator build="7d447048a453" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>18</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>alert_logevent</title>
...
</entry>
...
</feed>
The following example accesses the authorization/roles endpoint to get information about the roles that have been configured on the instance:
curl -H "Authorization: Bearer eyJraWQ..." -X GET https://idx1.splunkcorp.com:8089/services/authorization/roles
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="https://www.w3.org/2005/Atom" xmlns:s="https://dev.splunk.com/ns/rest" xmlns:opensearch="https://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://10.224.100.135:34740/services/authorization/roles</id>
<updated>2019-02-13T23:10:41+00:00</updated>
<generator build="7d447048a453" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>5</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
...
</entry>
...
</feed>
Examples for using the CLI with tokens
The following example searches splunkd.log on the local instance for the string JsonWebToken:
./splunk search "index=_internal source=*splunkd.log* JsonWebToken" -token eyJraWQ... 09-18-2019 15:48:25.853 -0700 INFO JsonWebToken - Saving tokenId: f61b7aecf75e95cd226234f4fe901ed450fa323648165a91bf02f0a07c5199eb, authType: Splunk, IDP: Splunk to KVStore 09-18-2019 15:38:33.825 -0700 INFO JsonWebToken - Saving tokenId: f61b7aecf75e95cd226234f4fe901ed450fa323648165a91bf02f0a07c5199eb, authType: Splunk, IDP: Splunk to KVStore 09-10-2019 14:45:14.201 -0700 INFO loader - JsonWebToken Manager registration with KVStore successful.
The following example shows all of the apps that are present on the Splunk platform instance:
./splunk display app -token eyJraWQ... alert_logevent CONFIGURED ENABLED INVISIBLE alert_webhook CONFIGURED ENABLED INVISIBLE appsbrowser CONFIGURED ENABLED INVISIBLE introspection_generator_addon CONFIGURED ENABLED INVISIBLE launcher CONFIGURED ENABLED VISIBLE learned UNCONFIGURED ENABLED INVISIBLE legacy UNCONFIGURED DISABLED INVISIBLE sample_app UNCONFIGURED DISABLED INVISIBLE search CONFIGURED ENABLED VISIBLE splunk_archiver CONFIGURED ENABLED INVISIBLE splunk_gdi UNCONFIGURED ENABLED INVISIBLE splunk_httpinput UNCONFIGURED ENABLED INVISIBLE splunk_instrumentation UNCONFIGURED ENABLED VISIBLE splunk_internal_metrics UNCONFIGURED ENABLED INVISIBLE splunk_metrics_workspace UNCONFIGURED ENABLED VISIBLE splunk_monitoring_console UNCONFIGURED ENABLED VISIBLE SplunkForwarder UNCONFIGURED DISABLED INVISIBLE SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE
| Manage or delete authentication tokens | Troubleshoot token authentication |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!