• How Splunk Works
  • How Splunk Works
    • About Splunk
    • Indexing
    • User interaction
    • Users and access controls
    • Distributed deployments
    • Configuration
    • SplunkBase
    • Developer APIs and integration features
    • Licensing
• Getting Started
  • About the getting started section
  • Installation
  • Administration Basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Start Splunk for the first time
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
    • Get help configuring your sources
  • Add more users
    • User roles
    • Splunk local users
    • LDAP
• Configuring a Splunk Deployment
  • Choose a Deployment Model
    • Single server
    • Distributed input
    • Distributed indexing
    • Data redundancy
    • Partitioning
    • Forwarding to non-Splunk systems
    • LDAP integration
  • Decide how Splunk should index your data
    • Create additional indexed fields
    • Tweak default processing
    • Mask sensitive data
    • Change indexing density
    • Eliminate processing steps
    • Filter and route data
  • Install Splunk on every host
  • Configure the forwarding servers
    • Define server classes
    • Inputs
    • Processing properties
    • Data distribution
    • Data policy
    • Authentication
  • Set up the deployment server
    • Configure the deployment server
    • Set up deployment classes
  • Start Splunking
• Data Inputs
  • How input configuration works
    • Data input types
    • Indexing properties
  • Configure inputs via SplunkWeb
    • Configuration
    • Files and directories
    • FIFO queues
    • Network ports
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
    • Examples
  • Scripted inputs
    • Configuration
    • Example
  • File whitelisting / blacklisting
    • Configuration
    • Example
    • Verification tool
  • Log file rotation
    • How log rotation works
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via SplunkWeb
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via SplunkWeb
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Sources and source types
    • How sourcetype:: values are set
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via SplunkWeb
    • via configuration files
  • Train Splunk on a sourcetype
    • via the CLI
  • Create an alias for a source type
    • via SplunkWeb
• Timestamp Recognition
  • How Splunk recognizes timestamps
    • Timestamp precedence
    • Configuration files for timestamps
  • Configure Splunk to recognize a timestamp
    • Positional timestamp extraction
    • Specify timestamp format
    • Set time zone
    • Set Splunk to use the European date format
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
• Events
  • How events work
    • Event or event type
    • How event recognition works
    • Configuration files for event boundaries
  • Large events
  • Multiline events
    • Configuration
    • Examples
  • Mask sensitive data in an event
    • Configuration
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Auto-discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Configure auto-discovery
    • Configuration
    • Example
  • punct::
  • Save event types via SplunkWeb
    • Configuration
    • Example
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Considerations for event types in distributed environments
• Meta Events
  • How meta events work
    • Transitive meta events
    • Configuration files for meta events
  • Configure meta events
    • Configuration
    • Examples
• Fields
  • How fields work
    • Search fields vs extracted fields
    • Disable fields entirely
    • Configuration files for fields
  • Define additional extracted fields
    • Configuration
    • Example
  • Field actions
    • Configuration
• Segmentation
  • How segmentation works
    • Configuration files for segmentation
• Saved Searches and Alerts
  • How Saved Searches Work
    • Set Up Saved Searches via SplunkWeb
    • Configuration files for saved searches and alerts
  • Set up Alerts
    • via SplunkWeb
    • via configuration files
    • Script options
  • Send SNMP traps
    • Configuration
  • Send syslog events
    • Configuration
    • Example
  • Considerations for saved searches and alerts in a distributed environment
• Authentication
  • How authentication works
  • SSL
    • Configuration
    • SSL for SplunkWeb
  • Set up users
  • Set up LDAP
    • Configure your Authentication Strategy via SplunkWeb
    • Configure Splunk to use your LDAP server
    • Determine your User and Group Base DN
    • Map existing LDAP groups to Splunk Roles
    • Test your LDAP configuration
    • Sample configurations
• Data Distribution
  • How data distribution works
    • Data forwarding
    • Data routing
    • Data cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lite-weight forwarding and routing
  • Route data to third-party systems
    • Configuration
    • Example
  • Enable cloning
  • Set up routing
    • Configuration
    • Examples
  • Set up data balancing
    • Configuration
    • Example
  • Filter data before forwarding
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Filtering and routing
    • Configuration
    • Example
• Granular Access Control
  • How Granular Access Control works
    • Configuration files for access controls
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via SplunkWeb
  • Enable distributed search via the CLI
    • Configuration
  • Configuration files for distributed search
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Create a deployment server
    • Configuration
    • Examples
  • Configure deployment clients
    • Enable the client and server
    • Sync the server and client
  • Configuration changes after initial deployment
  • Using Splunk with 3rd Party configuration management systems
• Index Management
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restoring archived data
    • Restoring a copied index archive
  • Configuration files for data policy
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
  • Reducing Index Density
  • Delete data from the index
    • Delete everything
    • Delete a subset of events
• Bundles
  • What are Bundles?
  • Bundle directory structure
  • Bundle configuration
    • Making a bundle
  • Bundle best practice
    • Testing bundles
  • Bundle precedence
• SplunkBase
  • Why use SplunkBase?
  • Sharing add-ons on SplunkBase
    • Creating Add-ons
    • Best practices for making add-ons containing Splunk configuration
    • Submit your add-on
  • Finding and downloading add-ons on SplunkBase
    • Implementing add-ons from SplunkBase
  • Security and privacy considerations
  • Control user access to SplunkBase
• Performance Tuning
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • eventdiscoverer.conf
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Tuning indexes.conf
    • Tuning props.conf
    • Make SplunkWeb search faster
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • Network utilization
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Virtual machines
• Routine Maintenance
  • System backups
    • Backups in 3 Easy Steps
  • Monitoring Splunk
    • via SplunkWeb
• How-To
  • Harden a Splunk server
  • Secure network connections
  • Restore a failed server
  • Add or Remove an index
    • Create an index
    • Delete an index
  • Move an index
    • Configuration
  • Change data policy to recover space
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Public server setup
  • Determine daily volume
  • Set up auto-refresh
  • Upgrade your license for more data
  • Strip syslog headers before processing
  • Restore a blocked license
  • Customize the built-in help module
  • Configure GUI Timeout
  • Configure the Get Started module
  • Disable SplunkWeb
    • Edit web.conf
    • Run the disable command
    • Re-enable SplunkWeb
  • Configure OPSEC LEA Input
    • Installation
    • Checkpoint Modification
    • Configuration
  • Place Splunk behind a web proxy
    • Scenario:
    • Solution:
  • Cancel Search
  • Enable HTTPS
    • configuration
• Troubleshooting
  • Splunkd is down
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • Cannot access License & Usage tab
    • I installed my license in a Preview release and now it doesn't work!
  • Contact Support
    • Work with Splunk Support
    • Log levels and starting in debug mode
• Reference
  • Splunk CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Default indexing properties
    • How Splunk indexes (by default)
    • What controls indexing properties
    • How to change indexing properties
  • Configuration file list
  • access_controls.conf
    • access_controls.conf.spec
  • alert_actions.conf
    • alert_actions.conf.spec
  • auth.conf
    • auth.conf.spec
  • deployment.conf
    • deployment.conf.spec
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
  • eventtypes.conf
    • eventtypes.conf.spec contents
  • field_actions.conf
    • field_actions.conf.spec
  • indexes.conf
    • indexes.conf.spec
  • inputs.conf
    • inputs.conf.spec
  • metaevents.conf
    • metaevents.conf.spec
  • outputs.conf
    • outputs.conf.spec
  • prefs.conf
    • prefs.conf.spec
  • props.conf
    • props.conf.spec
  • savedsearches.conf
    • How to read a savedsearches.conf file
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.spec
  • server.conf
    • server.conf.spec
  • transforms.conf
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.spec
  • web.conf
    • web.conf.spec

Set up LDAP

Splunk supports authentication via its internal authentication services or your existing LDAP v3 server. You can configure multiple LDAP servers (defined as an Authentication Strategy) but Splunk supports only using one at a time. You must specify a user for the bind, as Splunk 3.x does not support anonymous bind. You may wish to create a user with minimal privileges for this purpose.

Configure your Authentication Strategy via SplunkWeb

In the Admin section, click the Server tab . Then click the Authentication Configuration header. Select LDAP from the Set Authentication method drop-down.

Configure Splunk to use your LDAP server

These are the steps that you need to follow in order to successfully configure Splunk to use your existing LDAP infrastructure:

• Define an LDAP strategy name for your configuration. The name cannot be LDAP and it must not contain spaces.
  • Once you have saved your LDAP configurations, the strategy name will be added to the Set Authentication Strategy drop-down.
• Specify the Host name of your LDAP server. Be sure that your Splunk Server can resolve the host name.
• Specify the Port that Splunk should use to connect to your LDAP server. By default LDAP servers listen on TCP port 389.
• Specify the Distinguished Name (DN) to bind to the LDAP server with; typically the administrator or manager user. Should have full read access.
• Specify the password of the user Splunk is using to bind to the LDAP server.
• Confirm the password.
• Specify the User base DN that Splunk should use when looking up user information.
• Specify the User base filter for the object class you want to filter your users on.
  • IMPORTANT: The username attribute cannot contain whitespace. The username is case sensitive.
• Specify the Group base DN that Splunk should use when looking up group information.
• Specify the Group base filter, the attribute that defines the group name. The standard OpenLDAP/POSIX value is gid.
• Enter the User name attribute that defines the user name. The standard OpenLDAP/POSIX value is uid. for example, sAMAccountName for an AD account
• Specify the Real name attribute (also referred to as the common name) of the user. The standard OpenLDAP/POSIX value is cn.
• Input the Group name attribute. Use only if users and groups are defined in the same tree. Usually cn.
• Specify the Group member attribute. The standard OpenLDAP/POSIX value is member. Usually member or memberOf, depending on whether the memberships are listed in the group entry or the user entry.
• Enter the Group mapping attribute. Enter this value only if your member entries don't contain dn strings. Usually dn. In most cases, you can leave this field blank.
• Enter a value for pageSize. This determines how many records to return at one time. Enter 0 to disable and revert to LDAPv2
• Specify a Failsafe user name. This user will allow you to authenticate into Splunk in the event that your LDAP server is unreachable.
  • IMPORTANT: This user has admin privileges on the Splunk install.
• Specify a Failsafe user password for your failsafe user.
  • Confirm the failsafe password.

Determine your User and Group Base DN

The distinguished name is the location in the directory where authentication information is stored. If all information is contained in each user's entry, then these distinguished names must be the same. If group membership information for users is kept in a separate entry, then supply a separate distinguished name identifying the subtree in the directory where the group information is stored.

This allows flexibility in configuration and prevents Splunk from having to extend the LDAP schema.

Examples

Case 1: User entries in the directory have both password and group membership stored in them. User entry DNs are of the form userid=bjensen,ou=People,o=MyCo.

userBaseDN = ou=People,o=MyCo
groupBaseDN = ou=People, o=MyCo

Case 2: Group membership information is kept in a separate entry from the user entries. User entry DNs are of the form userid=bjensen,ou=People,o=MyCo and group information is stored at gid=Users,ou=Groups,o=MyCo

userBaseDN = ou=People,o=MyCo
groupBaseDN = ou=Groups,o=MyCo

Map existing LDAP groups to Splunk Roles

Once you have configured your Splunk Server to authenticate via your LDAP server you will need to map your existing LDAP groups to Splunk's user role levels. If you do not use groups you can map users individually, but note that you can either map users or map groups but not both. If you are using groups, all the users you wish to have access to Splunk must be members of an appropriate group.

Under the Users tab you will see all of your users and groups. Click the Edit link next to the appropriate user or group to define User Roles

Test your LDAP configuration

If you find that your Splunk install is not able to successfully connect to your LDAP server there are a few troubleshooting steps that you can perform:

• Remove any custom values you've added for userBaseFilter and groupBaseFilter until your configuration is correct.
• Check your $SPLUNK_HOME/var/log/splunk/splunkd.log for any authentication errors.
• Perform an ldapsearch to test that the variables you are specifying will work:

ldapsearch -h "<host>" -p "<port>" -b "<userBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>"
ldapsearch -h "<host>" -p "<port>" -b "<groupBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>"

Sample configurations

Mapping users directly

This example has all the users in the same location, with no separate group records. Users are mapped to roles via the employeeType.

auth.conf:

[auth]
authType = LDAP
authSettings = iPlanetCongress

[iPlanetCongress]
groupNameAttribute = employeeType
host = 10.1.1.162
port = 3389
SSLEnabled = 0
failsafeLogin = admin
failsafePassword = 
bindDN = cn=Directory Manager
bindDNpassword = 
userBaseDN = ou=Congressmen,dc=splunk,dc=com;
groupBaseDN = ou=Congressmen,dc=splunk,dc=com;
userNameAttribute = sn
realNameAttribute = cn
pageSize = 0
groupBaseFilter = (objectclass=*)
groupMappingAttribute = dn
userBaseFilter = (objectclass=*)
groupMemberAttribute =
Admin = Representative
Power =
User = Senator

User's ldif:

dn: cn=Adam Putnam, ou=Congressmen,dc=splunk,dc=com
givenName: Adam
sn: Putnam
employeeType: Representative
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
postalAddress: 1213 LONGWORTH HOUSE OFFICE BUILDING $ WASHINGTON DC 20515
cn: Adam Putnam
employeeNumber: 12
businessCategory: Republican
st: FL

Users and groups in the same location

This example uses the same userBaseDN and groupBaseDN

auth.conf

[AD]
SSLEnabled = 0
bindDN = cn=Administrator,CN=Users,DC=ad,DC=splunk,DC=com
bindDNpassword =
failsafeLogin = admin
failsafePassword =
groupBaseDN = CN=Users,DC=ad,DC=splunk,DC=com;
groupBaseFilter = (objectclass=*)
groupMappingAttribute = dn
groupNameAttribute = memberOf
host = 10.1.1.27
pageSize = 800
port = 389
realNameAttribute = cn
userBaseDN = CN=Users,DC=ad,DC=splunk,DC=com;
userBaseFilter = (objectclass=user)
userNameAttribute = sAMAccountName
Admin = CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=splunk,DC=com;CN=TestGroup3,CN=Users,DC=ad,DC=splunk,DC=com;
Power = CN=TestGroup2,CN=Users,DC=ad,DC=splunk,DC=com;
User = CN=TestGroup1,CN=Users,DC=ad,DC=splunk,DC=com;
groupMemberAttribute =

[auth]
authSettings = AD
authType = LDAP

User ldif

dn: CN=Administrator, CN=Users, dc=ad,DC=splunk,DC=com
sAMAccountType: 805306368
primaryGroupID: 513
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
adminCount: 1
badPasswordTime: 128323857101974560
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
cn: Administrator
userAccountControl: 66048
codePage: 0
distinguishedName: CN=Administrator,CN=Users,DC=ad,DC=splunk,DC=com
whenChanged: 20070503190032.0Z
whenCreated: 20070406210810.0Z
pwdLastSet: 128226924328683968
logonCount: 48
isCriticalSystemObject: TRUE
description: Built-in account for administering the computer/domain
accountExpires: 9223372036854775807
lastLogoff: 0
objectGUID:
lastLogon: 128324519126218672
uSNChanged: 57357
uSNCreated: 8194
objectSid: 

countryCode: 0
sAMAccountName: Administrator
instanceType: 4
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=splunk,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=splunk,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=splunk,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=splunk,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=splunk,DC=com
badPwdCount: 0
name: Administrator

Group ldif

dn: CN=Group Policy Creator Owners, CN=Users, dc=ad,DC=splunk,DC=com
member: CN=Administrator,CN=Users,DC=ad,DC=splunk,DC=com
sAMAccountType: 268435456
objectClass: top
objectClass: group
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
cn: Group Policy Creator Owners
groupType: -2147483646
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=splunk,DC=com
whenChanged: 20070406211429.0Z
whenCreated: 20070406211428.0Z
isCriticalSystemObject: TRUE
description: Members in this group can modify group policy for the domain
objectGUID:
uSNChanged: 12380
uSNCreated: 12350
objectSid: 

sAMAccountName: Group Policy Creator Owners
instanceType: 4
name: Group Policy Creator Owners