Tip of the week 16
Secure your Splunk Free server
"Splunk Enterprise is a fully featured, powerful platform for collecting, searching, monitoring and analyzing machine data". There is a free version of Splunk with some limitations (read here), but it's sufficent to analyze fews hosts logs (< 20). The major disadvatage of this edition is the lack of an authentication module for the web interface, which mean anyone can access to your splunk interface and show your data.
One way to secure it is to bind SplunkWeb on localhost and use a ssh tunnel to access it.
You just have to edit $SPLUNK_HOME/etc/system/default/web.conf to uncomment and modify this line like that :
server.socket_host = localhost
Restart Splunk :
splunk-server# $SPLUNK_HOME/bin/splunk restart splunk
Verify your configuration :
splunk-server# netstat -an | grep 8000 tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
Now, if you want to access your SplunkWeb interface, you need to setup a ssh tunnel between your pc and your server to forward the remote 8000 port on your pc
natjohan# ssh -L 8000:127.0.0.1:8000 myremoteuser@<splunk-server-address>
Explanation : the -L 8000 option mean you specify the local port on your pc to access to 127.0.0.1:8000 on your remote server
Now your can access to your Splunk interface on your pc by typing https://127.0.0.1:8000 in your browser.