Securing Splunk free

Splunk is a fantastic tool, but it is also very expensive for personal use. (3000USD/Year for a 500MB/Day license)
Luckily they provide a free version, too bad it doesn’t support log in, so if you want to make Splunk available on the internet, everyone who knows your port can check out your logs, convenient, i know.

I wanted to make a little login screen so not everyone could get on and read what version all of my programs run on and what i commands i last did in .bash_history.

This is what i ended up with in apache

First you need to enable mod_proxy for apache if you haven’t already, then you can proceed to make a file called something and put it in /etc/apache2/sites-available/

It should contain a modified version of this (this one is mine, but i feel i learn best by example so maybe others do too):

<virtualhost *:80>
        ServerAdmin evotech@slashdir.com
        ServerAlias splunk.slashdir.com
        ProxyPass / http://127.0.0.1:8008/
        ProxyPassReverse / http://127.0.0.1:8008/
</virtualhost>

<proxy http://127.0.0.1:8008/*>
        Order deny,allow
        Deny from all
  Allow from all
        AuthName "splunk"
        AuthType Basic
        AuthUserFile /home/evotech/public_www/.htpasswd
        Require valid-user
</proxy>

*Server Alias also needs to be in your DNS so it points to your servers IP.
*Change ProxyPass / ProxyPassReverse / proxy port to your splunk port, by default this is 8000
*make your htpasswd file by running the command htpasswd -c .htpasswd username in console

After you have succesfully made the file, do a ln -s /etc/apache2/sites-available/yourfile /etc/apache2/sites-enabled/yourfile so apache sees the setup.

Restart apache service apache2 restart

And i added these rules to iptables to block everything but localhost(127.0.0.1) to access my splunk port (so you cannot access the original splunk setup, but must go through apache)

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j DROP

When you are done, your site should behave like this
And your domain:splunkport should behave like this

If not, refer to your /var/log/apache2/error.log

Questions?

Published April 8, 2012.

Filed in English,Linux and tagged apache, free, iptables, proxy, securing, splunk.

No comments Write a comment!

slashdir

Securing Splunk free

About

Site Menu

Recent Posts

Archives

Friends of slashdir

Meta