merged master

Author: bpelaia

README.md

@@ -132,7 +132,9 @@ Note: Any task with an **adhoc** prefix means that it can be used independently
 - **adhoc_fix_server_certificate.yml** - Use to delete an expired server.pem and generate a new one (default certs). Useful if your server.pem certificate has expired and you are using Splunk's default certificate for splunkd. Note that default certificates present a security risk and that their use should be avoided, if possible.
 - **adhoc_kill_splunkd.yml** - Some releases of Splunk have a "feature" that leaves zombie splunkd processes after a 'splunk stop'. Use this task after a 'splunk stop' to make sure that it's really stopped. Useful for upgrades on some of the 7.x releases, and automatically called by the upgrade_splunk.yml task.
 - **check_splunk.yml** - Check if Splunk is installed. If Splunk is not installed, it will be installed on the host. If Splunk is already installed, the task will execute a "splunk version" command on the host, and then compare the version and build number of Splunk to the version and build number of the expected version of Splunk. Note that the expected version of Splunk does not need to be statically defined; The expected Splunk version and build are automatically extracted from the value of splunk_package_url_full or splunk_package_url_uf using Jinja regex filters. This task will work for both the Universal Forwarder and full Splunk Enterprise packages. You define which host uses what package by organizing it under the appropriate group ('full' or 'uf') in your Ansible inventory.
+- **check_decrypted_secret.yml** - Check the decrypted value of a given `pass4SymmKey`. This can be called by a task to compare the desired value with the currently configured value to see if they match. This pervents unnessecary changes to be applied.
 - **configure_apps.yml** - This task should be called directly from a playbook in order to deploy apps or configurations (from git repositories) to Splunk hosts. Tip: Add a this task to a playbook after the check_splunk.yml play. Doing so will perform a "install (or upgrade) and deploy apps" run, all in one playbook.
+- **configure_auditd.yml** - Configure auditd filtering rules to exclude splunk launched executables. Disabled by default, but can be enabled by setting `splunk_auditd_configure` to `true`.
 - **configure_authentication.yml** - Uses the template identified by the `splunk_authenticationconf` variable to install an authentication.conf file to $SPLUNK_HOME/etc/system/local/authentication.conf. We are including this task here since Ansible is able to securely deploy an authentication.conf configuration by using ansible-vault to encrypt sensitive values such as the value of the `ad_bind_password` variable. Note: If you are using a common splunk.secret file, you can omit this task and instead use configure_apps.yml to deploy an authentication.conf file from a Git repository containing an authentication.conf app with pre-hashed credentials.
 - **configure_bash.yml** - Configures bashrc and bash_profile files for the splunk user. Please note that the templates included with this role will overwrite any existing files for the splunk user (if they exist). The templates will define a custom PS1 at the bash prompt, configure the $SPLUNK_HOME environment variable so that you can issue "splunk <command>" without specifying the full path to the Splunk binary, and will enable auto-completion of Splunk CLI commands in bash.
 - **configure_deploymentclient.yml** - Generates a new deploymentclient.conf file from the deploymentclient.conf.j2 template and installs it to $SPLUNK_HOME/etc/system/local/deploymentclient.conf. This task is included automatically during new installations when values have been configured for the `clientName` and `splunk_uri_ds` variables.
@@ -168,7 +170,7 @@ Note: Any task with an **adhoc** prefix means that it can be used independently
 - **splunk_restart.yml**  - Restarts splunk via the service module. Used when waiting for a handler to run at the end of the play would be inappropriate.
 - **splunk_start.yml** - Starts splunk via the service module. Used when waiting for a handler to run at the end of the play would be inappropriate.
 - **splunk_stop.yml** - Stops splunk via the service module.  Used when waiting for a handler to run at the end of the play would be inappropriate.
-- **upgrade_splunk.yml** -  *Do not call upgrade_splunk.yml directly! Use check_splunk.yml* - Called by check_splunk.yml. Performs an upgrade of an existing splunk installation. Configures .bash_profile and .bashrc for splunk user (by calling configure_bash.yml), disables THP and increases ulimits (by calling configure_os.yml), kills any stale splunkd processes present (by calling adhoc_kill_splunkd.yml). Note: You should NOT run the upgrade_splunk.yml task directly from a playbook. check_splunk.yml will call upgrade_splunk.yml if it determines that an upgrade is needed; It will then download and unarchive the new version of Splunk (by calling download_and_unarchive.yml), ensure that mongod is in a good stopped state (by calling adhoc_fix_mongo.yml), and will then perform post-installation tasks using the post_install.yml task.
+- **upgrade_splunk.yml** -  *Do not call upgrade_splunk.yml directly! Use check_splunk.yml* - Called by check_splunk.yml. Performs an upgrade of an existing splunk installation. Configures .bash_profile and .bashrc for splunk user (by calling configure_bash.yml), disables THP and increases ulimits (by calling configure_os.yml), kills any stale splunkd processes present when `splunk_force_kill` is set to `True` (by calling adhoc_kill_splunkd.yml). Note: You should NOT run the upgrade_splunk.yml task directly from a playbook. check_splunk.yml will call upgrade_splunk.yml if it determines that an upgrade is needed; It will then download and unarchive the new version of Splunk (by calling download_and_unarchive.yml), ensure that mongod is in a good stopped state (by calling adhoc_fix_mongo.yml), and will then perform post-installation tasks using the post_install.yml task.
 
 ## Frequently Asked Questions
 **Q:** What is the difference between this and splunk-ansible?

environments/EAV/group_vars/all.yml

@@ -0,0 +1,6 @@
+---
+splunk_uri_lm: https://splunk-cm.5minfo.it:8089
+ansible_user: user
+ansible_ssh_private_key_file: ~/.ssh/id_rsa
+#git_server: ssh://git@mygithost:1234
+#git_key: ~/.ssh/my-git-key

environments/EAV/group_vars/heavyforwarder.yml

@@ -0,0 +1,6 @@
+---
+splunk_uri_ds: splunk-sd:8089
+splunk_firewall_ports:
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"

environments/EAV/group_vars/indexer.yml

@@ -0,0 +1,7 @@
+---
+splunk_uri_ds: splunk-sd:8089
+splunk_firewall_ports:
+  - "{{ splunkapi_port }}"
+  - "{{ splunktcpin_port }}"
+  - "{{ splunkhec_port }}"
+#  - "{{ splunkidxcrep_port }}"

environments/EAV/group_vars/search.yml

@@ -0,0 +1,5 @@
+---
+splunk_firewall_ports:
+  - "{{ splunkweb_port }}"
+  - "{{ splunkapi_port }}"
+  - "{{ splunkshcrep_port }}"

environments/EAV/group_vars/shdeployer.yml

@@ -0,0 +1,2 @@
+---
+splunk_uri_ds: splunk-sd:8089

environments/EAV/inventory.yml

@@ -0,0 +1,67 @@
+---
+# YAML format inventory with nested groups for variable inheritance
+# Mason Morales, Splunk, Inc.
+# References:
+# https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
+# Read this: https://docs.ansible.com/ansible/2.9/plugins/inventory/yaml.html
+# https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible
+# ##########################################################################
+all:
+  children:
+
+    full:
+      children:
+
+        licensemaster:
+          hosts:
+            splunk-cm:
+
+        deploymentserver:
+          hosts:
+            splunk-sd:
+
+        dmc:
+          hosts:
+            splunk-cm:
+
+        shdeployer:
+          hosts:
+            splunk-cm:
+          vars:
+            target_shc_group_name: eav_shc
+
+        search:
+          children:
+#off#            splunk-sh1:
+            eav_shc:
+              hosts:
+                splunk-sh1:
+                splunk-sh2:
+                splunk-sh3:
+
+        indexer:
+          hosts:
+            splunk-idx1:
+            splunk-idx2:
+
+        heavyforwarder:
+          hosts:
+            splunk-hf:
+
+#off#        standalone:
+#off#            hosts:
+#off#              my-standalone-splunk-server:
+#off#              my-other-standalone-splunk-server:
+
+#off#    uf:
+#off#      children:
+
+#off#        vmware:
+#off#          hosts:
+#off#            my-vm-ware-host-[001:100]:
+#off#          vars:
+#off#            clientName: vmware # Or create a "vmware.yml" file under group_vars and assign clientName there, either works
+
+#off#        web:
+#off#          hosts:
+#off#            my-web-host-[01-05]: