Splunk is pretty damn cool. And since Splunk 4, it’s been much easier to set up and run. And since my environment at work produces a lot less than 500MB/day of logs, I can safely use the free version of splunk. But, this has a downside. You don’t get user authentication (there’s other stuff you don’t get, but the big one to me is user auth).
So, the obvious solution is to proxy Splunk behind apache and have apache do the user authentication. There’s some good info about doing this online, but it seems none of it is complete for what I was trying to do.
So, here’s what I had to do. First, the relevant chunk in the apache config (if you’re doing this over https, you may want to add “SSLProxyEngine On” before the mod_rewrite section):
<VirtualHost *:80> ServerName server.example.com:80 ProxyPass /splunk http://127.0.0.1:8000/splunk ProxyPassReverse /splunk http://127.0.0.1:8000/splunk <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^/(static.*) /splunk/$1 [P] </IfModule> </VirtualHost>
So, on my server, I’d go to https://server.example.com/splunk to visit my splunk page. The rewrite rule is there to fix what seems like a bug in the “jobs” page for splunk, that doesn’t seem to obey the “root_endpoint” set below.
The second part of this is to set a few things in the web.conf.
In my case, since this is running on a Mac, these go in a file in /Applications/splunk/etc/system/local/web.conf
root_endpoint = /splunk tools.proxy.on = True updateCheckerBaseURL = 0
The first basically says “everything is in the /splunk subdirectory”. The Second I’d assume says “Splunk is being proxy’d”, and the Third is something I had to add to fix a weird issue I was seeing after doing all of this. Once I’d proxy’d it, every time I would open a new session to Splunk, I would see the “Checking for Updates” and then the “Agreement” page, which the continue button wouldn’t point back to http://server.example.com/splunk but just http://server.example.com/. So, That third line basically disables the update check. It’s kind of silly anyway since I keep an eye on the splunk.com webpage to check for updates.
As for securing splunk beyond proxy’ing it, I just set up a realm in Server Admin that locks down the /splunk location. Pretty easy.
Good luck. Splunk is pretty cool, and makes it dead simple to track down issues, get statistics, etc. I’m still not really proficient with it, but I hope over time I’ll learn more of what I can do with it.
Cormac says
Good post, was running into the same issue with Splunk which was quite annoying. Did you ever find out if there was a more elegant solution to this. It seems like a bug, that the login page doesn’t pick up the root_endpoint directive.
staze says
I did not find a way around it. =/ I haven’t brought it up with my Splunk contact either, but you’re right, I probably should. Will do that today.
Thanks for reading!