Securing Splunk 8.x.x Deployment Server and Universal Forwarder

By Jay Young, Senior Splunk Consultant

The following blog will show how to set up pass4SymmKey authentication between a Splunk Deployment Server and the Universal forwarders in Splunk version 8.x.x. This method will make it more difficult for someone to set up a rogue Universal forwarder that could potentially connect to your Deployment Server.

Please note: This does not fully protect against the Splunk Deployment Server vulnerability listed in the web link below. As such, you should make sure you have updated your current Deployment Server to versions 8.1.0.1, 8.2.6.1, or 9.0.x

Check here for Splunk Deployment Server vulnerability information before you get started.

Setup pass4SymmKey Authentication between the Deployment Server and Universal forwarders

Step 1: Create a new app for the Deployment Server and Universal Forwarders
a. pass4Symmkey_auth_app/local/server.conf
b. In the server.conf file, add the following stanza.
[deployment]
pass4SymmKey = password

Step 2: Add the app to these locations on the Deployment Server
a. $SPLUNK_HOME/etc/apps/
b. $SPLUNK_HOME/etc/deployment-apps

Step 3: Set the new app to restart the Universal forwarder after it pushes it to the clients
a. Open the Splunk GUI and go to setting>forwarder management
b. Select the App tab on the forwarder management main screen
c. Find the newly created app from the list, and under the action column, select “Edit.”
d. Check the box next to Restart Splunkd.
e. Click “Save.”

Step 4: Create a new serverclass on the Deployment Server and push the app to the universal forwarders

Step 5: Create a restmap.conf file on the Deployment Server. (This turns on the required Authentication)
a. Create the restmap.conf file in $SPLUNK_HOME/etc/system/local/restmap.conf
b. Add the following stanza to the restmap.conf
[broker:broker]
requireAuthentication = true
c. Restart the Deployment Server

Step 6: How to temporarily turn off authentication between the Deployment Server and Universal Forwarders; this will be required to add new universal forwarders.
a. Set the restmap.conf requireAuthentication attribute to false or comment out the complete stanza.
b. Restart the Deployment Server.

After completing these steps, your pass4SymmKey will be authenticated between your Splunk instance and any of your Universal Forwarders. If you have any follow up questions, please reach out below.

Happy Splunking!