Splunk 7.1: Performing a Splunk password reset

Forgetting the credentials of a product you're using can be a real a problem. This tutorial will help you if you've locked yourself out of your Splunk instance and you're looking for a way to regain access by resetting your account.


  • Tom Kopchak
  • May 24, 2018
  • Tested on Splunk Version: N/A

We’ve all been there and done it - forgetting or otherwise losing access to the administrative credentials of a product we’re using. Whatever the reason, sometimes you’re in a situation where you need to reset this type of account on a system. If this application is Splunk, you’re in the right place. 

(Note: these steps assume that you have access to the operating system/file system of the system running Splunk as the user running Splunk or the root user. If you do not have this level of access, you will need to be able to access the operating system before you perform password recovery on the Splunk software itself).  

In versions of Splunk preceding 7.1 (versions 7.0.x, 6.6.x, and earlier), resetting the admin password was rather trivial. It would look something like this:

  • Move the $SPLUNK_HOME/etc/passwd file to a backup location, such as renaming it to passwd.bak
  • Restart Splunk
  • Log in with admin/changeme
  • Reset the admin password, and then merge the newly created etc/passwd file (containing only the admin user)
    with the backup file (remove the line for the admin user from the backup file first)

With the introduction of Splunk 7.1, the default admin/changeme account has been removed. This means that this method of password recovery no longer works. If you attempt to restart a 7.1 install without a passwd file, you will be greeted with the following message in SplunkWeb when trying to log in:

Of course, it’s rather difficult to make a user using the traditional methods of creating one (the splunk add user command or by adding on through the webui) if you do not have a working one. Fortunately, even in Splunk 7.1, all hope is not lost.  

There are two approaches that will work in this case: resetting the password hash to a known one or using user-seed.conf. Let’s explore both options.

Resetting the password hash

Splunk passwords are stored in a hashed form in $SPLUNK_HOME/etc/passwd. This file uses the same format as the /etc/passwd file you would find on any typical Linux system. However, the hashed passwords for Splunk are stored directly in the passwd file as opposed to in an equivalent to the /etc/shadow file.

A sample Splunk passwd file would look something like this:

splunk@hostname:/opt/splunk/etc# cat passwd
:admin:$6$s0CKRhvSS6CSGsA3$Auyk5ZB67F6B44gdaHELjR0Xe0SqYpg5fbfLnchxrneuW2jj/dsqboNffawxtWj0vCjp8syTvrVXksueRRHcD1::Administrator:admin:changeme@example.com:::17674
:tom:$6$H9WxryJqDJMAaxjW$JbQUK8VTRZw4UdUu65MLou4GEEHrUgovksy121xQWTEieRf/KoKqinExsvdLkTWgjFw61jAGIXsh6p2KVzOSP.::Tom:user::::17674

In this example, there are two Splunk users:

  • Admin - the default admin user with full permissions
  • Tom - a normal Splunk user without elevated permissions

Let’s say that we don’t know the password for the admin user, but don’t want to break Tom’s access. We’ll handle this by updating the password hash in the passwd file for the admin user.

Here’s how you do this:

1. Generate a new password hash using the mkpasswd command. If this package doesn't exist, you may need to install it. On my Ubuntu machine, this was accomplished by running the following command: 

apt install whois

Fortunately, the error message was self-explanatory:

# mkpasswd
The program 'mkpasswd' is currently not installed. You can install it by typing:
apt install whois

2. Using mkpasswd, generate a sha-512 hash:

# mkpasswd -m sha-512
Password:
$6$yzIST1aK$LVDaqom/YrwjuIwu4z158FYhPYnoPG3uOyJ83SmNgoJjrYc1ubYpNvI1vnCBv7g8MPVz.W.nwy7VLNwBRWsuY0

Note: if you run the mkpasswd command multiple times, you will get different output even if you use the same password. For example, both the hash above and the following are password hashes for the legacy Splunk default password, “changeme”.

$6$jGVSWgEXnuSm$7twqk8X2viWSSESevnFtE3MBqpE7kKhPOo2p8Ee261E2VcZxNH6rIp3N4JDlBgstZf/Tv6ADgGrQpKLEFTyeT1

3. Replace the existing hash for the admin user in the $SPLUNK_HOME/etc/passwd file with the new hash you just generated.

4. Restart Splunk:

$SPLUNK_HOME/bin/splunk restart

5. Once Splunk restarts, you will be able to log in successfully.

The password hashes used are portable, so you don’t even need to generate the password hash - in a pinch, the hashes on this page should work for resetting your password to changeme.

Using user-seed.conf

In Splunk 6.5, the user-seed.conf file was added to Splunk docs as a mechanism for specifying the default credentials for a new Splunk installation. This file is only relevant when $SPLUNK_HOME/etc/passwd is not present, so using it will be similar to the legacy password recovery method of moving the passwd file, restarting Splunk, and logging in with admin/changeme.

Note: user-seed.conf enforces password complexity rules. If you use a simple password (such as changeme), the password will not be set by this method (unless you use a password hash instead).

To reset the password using this method, follow these steps:

1. Move the existing $SPLUNK_HOME/etc passwd file to a backup location, such as $SPLUNK_HOME/etc/passwd.bak

# mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak

2. Create a user-seed.conf file in $SPLUNK_HOME/etc/system/local containing the username and password or password hash you would like to use:

# cat $SPLUNK_HOME/etc/system/local/user-seed.conf
[user_info]
USERNAME = admin
PASSWORD = I<3bigDATA
<OR>
HASHED_PASSWORD = $6$jGVSWgEXnuSm$7twqk8X2viWSSESevnFtE3MBqpE7kKhPOo2p8Ee261E2VcZxNH6rIp3N4JDlBgstZf/Tv6ADgGrQpKLEFTyeT1

Note: If you want to use a password hash, generate one using the mkpasswd method above.

3. Restart Splunk:

$SPLUNK_HOME/bin/splunk restart

4. Note that a passwd file will be generated, and you will be able to log in successfully.

# cat $SPLUNK_HOME/etc/passwd
:admin:$6$ZErE6BICFIv.SpPi$gMJaTh4Qb1jg/YMkRtpob6x9VyFvomOXkJLI4KzwqJnxuEANS3ZpBlGIlZkKwRuNBZ10Edh6EFw.vAboKEuQU/::Administrator:admin:changeme@example.com:::17674

5. Note that the user-seed.conf file has been deleted by Splunk (which is good, especially if you specified a password in plaintext):

# cat /opt/splunk/etc/system/local/user-seed.conf
cat: /opt/splunk/etc/system/local/user-seed.conf: No such file or directory

6. Merge the newly created etc/passwd file (containing only the admin user) with the backup file (remove the line for the admin user from the backup file first).


Hopefully these steps will be able to help you out if you ever lock yourself out of your Splunk instance and forget the keys, or need to take over management of a Splunk instance where no one has administrative credentials. Happy Splunking!




Close off Canvas Menu