From 7c9615bc385966d433b37ec6d6b7cffac03fca22 Mon Sep 17 00:00:00 2001 From: arcsector <26469747+arcsector@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:14:37 -0800 Subject: [PATCH 1/2] Added: - Splunk launch config setting splunk user, home, service name, and DB path if defined - New var for DB Path Changed: - README references new splunk launch task - installation task includes splunk launch task --- README.md | 1 + roles/splunk/defaults/main.yml | 1 + .../splunk/tasks/configure_splunk_launch.yml | 30 ++++ roles/splunk/tasks/install_splunk.yml | 153 +++++++++--------- 4 files changed, 110 insertions(+), 75 deletions(-) create mode 100644 roles/splunk/tasks/configure_splunk_launch.yml diff --git a/README.md b/README.md index c7608a17..aad5b6be 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,7 @@ Note: Any task with an **adhoc** prefix means that it can be used independently - **configure_shc_members.yml** - Initializes search head clustering on Splunk hosts that will be participating in a new search head cluster. Relies on the values of: `splunk_shc_key`, `splunk_shc_label`, `splunk_shc_deployer`, `splunk_shc_rf`, `splunk_shc_rep_port`, `splunkd_port`, `splunk_admin_username`, and `splunk_admin_password`. Be sure to review the default values for the role for these and configure them appropriately in your group_vars. - **configure_splunk_forwarder_meta.yml** - Configures a new indexed field called splunk_forwarder and sets its default value to the value of `ansible_hostname`. Note that you will need to install a fields.conf on your search head(s) if you wish to use this custom indexed field. - **configure_splunk_boot.yml** - Used during installation to automatically configure splunk boot-start to the desired state. This task can also be used to enable boot-start on an existing host that does not have it enabled, or to switch from init.d to systemd, or vice-versa. The desired boot-start method is determined using the boolean value of `splunk_use_initd` (true=initd, false=systemd). In addition it is also possible for splunk to create a polkit rule, if using systemd, that allows the `splunk_nix_user` to managed the splunk service without authentication. You may also set the `systemd_unit_full` or the `systemd_unit_uf` variables to customize the service name systemd will use. +- **configure_splunk_launch.yml** - Configures the splunk-launch.conf file with variables to persist values if their default changes. Configures the splunk user, home, service name, and DB path if defined. - **configure_splunk_secret.yml** - Configures a common splunk.secret file from the files/authentication/splunk.secret so that pre-hashed passwords can be securely deployed. Note that changing splunk.secret will require re-encryption of any passwords that were encrypted using the previous splunk.secret since Splunk will no longer be able to decrypt them successfully. - **configure_systemd.yml** - Updates Splunk's systemd file using best practices and tips from the community. Also allows Splunk to start successfully using systemd after an upgrade without the need to run `splunk ftr --accept-license`. - **configure_thp.yml** - Installs a new systemd service (disable-thp) that disables THP for RedHat|CentOS systems 6.0+. This task is automatically called by the configure_os.yml task. Optionally, you can set `use_tuned_thp` to configure THP via `tuned` instead of a service. Default is `false`. Mote: Make sure your host does not require a specific `tuned` profile before applying this one. diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml index 804312bd..1694c735 100644 --- a/roles/splunk/defaults/main.yml +++ b/roles/splunk/defaults/main.yml @@ -53,6 +53,7 @@ git_version: master # Configure default version to clone, overridable inside the app_relative_path: # set a sub-path you want to sync within a repo. If the repo contains multiple apps in the root directory, just set this to a trailing slash. splunk_app_deploy_path: undefined # Path under $SPLUNK_HOME/ to deploy apps to - Note that this may be set in group_vars, host_vars, playbook vars, or inside the git_apps dictionary within host_vars splunk_auditd_configure: false # Whether or not to install auditd filtering rules for splunk launched executables +splunk_db_path: undefined # Path which specifies the location of indexes on indexers and KVStores on other systems - defaults to $SPLUNK_HOME/var/lib/splunk # IDXC Vars splunk_idxc_key: mypass4symmkey splunk_idxc_rf: 2 diff --git a/roles/splunk/tasks/configure_splunk_launch.yml b/roles/splunk/tasks/configure_splunk_launch.yml new file mode 100644 index 00000000..744089ee --- /dev/null +++ b/roles/splunk/tasks/configure_splunk_launch.yml @@ -0,0 +1,30 @@ +--- +- name: Configure Splunk Launch with user, home, and service values + community.general.ini_file: + path: "{{ splunk_home }}/etc/splunk-launch.conf" + section: null + option: "{{ item.key }}" + value: "{{ item.value }}" + owner: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" + mode: 0644 + become: true + loop: + - key: SPLUNK_OS_USER + value: "{{ splunk_nix_user }}" + - key: SPLUNK_HOME + value: "{{ splunk_home }}" + - key: SPLUNK_SERVER_NAME + value: "{{ splunk_service }}" + +- name: Ensure splunk DB set correctly for IDX in splunk-launch + community.general.ini_file: + path: "{{ splunk_home }}/etc/splunk-launch.conf" + section: null + option: SPLUNK_DB + value: "{{ splunk_db_path }}" + owner: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" + mode: 0644 + become: true + when: splunk_db_path is defined and splunk_db_path != "undefined" diff --git a/roles/splunk/tasks/install_splunk.yml b/roles/splunk/tasks/install_splunk.yml index b1b63988..b415b72c 100644 --- a/roles/splunk/tasks/install_splunk.yml +++ b/roles/splunk/tasks/install_splunk.yml @@ -1,75 +1,78 @@ ---- -# This task should be used for fresh installations of Splunk, refer to upgrade_splunk.yml for upgrades -- name: Install Required Packages - include_tasks: prereqs.yml - -- name: Block for non-root splunk user setup - block: - - name: Add nix splunk group - group: - name: "{{ splunk_nix_group }}" - state: present - local: "{{ local_os_group }}" - become: true - - - name: Add nix splunk user - user: - name: "{{ splunk_nix_user }}" - group: "{{ splunk_nix_group }}" - home: "{{ splunk_home }}" - state: present - shell: /bin/bash - local: "{{ local_os_user }}" - become: true - - - name: Allow splunk user to read /var/log - include_tasks: configure_facl.yml - - - name: Configure .bash_profile and .bashrc for splunk user - include_tasks: configure_bash.yml - - when: splunk_nix_user != 'root' - -- name: Configure OS to disable THP and increase ulimits for splunk process - include_tasks: configure_os.yml - -- name: Include download and unarchive task - include_tasks: download_and_unarchive.yml - -- name: Include configure splunk.secret task to standardize splunk.secret - include_tasks: configure_splunk_secret.yml - when: splunk_configure_secret - -- name: Include configure deployment client task - include_tasks: configure_deploymentclient.yml - when: - - clientName != 'undefined' - - splunk_uri_ds != 'undefined' - -- name: Include configure user-seed task - include_tasks: configure_user-seed.yml - when: - - splunk_admin_password != 'undefined' - -- name: Include configure default authentication.conf for AD authentication and admin role mapping - include_tasks: configure_authentication.yml - when: - - splunk_configure_authentication - - ad_bind_password != 'undefined' - -- name: Include custom management port task - include_tasks: configure_custom_mgmt_port.yml - when: splunkd_port != '8089' - -- name: Include disable management port task - include_tasks: configure_disable_mgmt_port.yml - when: splunk_disable_mgmt_port - -- name: Include accept license task - include_tasks: splunk_license_accept.yml - -- name: Enable boot start - include_tasks: configure_splunk_boot.yml - -- name: Include post-install tasks - include_tasks: post_install.yml +--- +# This task should be used for fresh installations of Splunk, refer to upgrade_splunk.yml for upgrades +- name: Install Required Packages + include_tasks: prereqs.yml + +- name: Block for non-root splunk user setup + block: + - name: Add nix splunk group + group: + name: "{{ splunk_nix_group }}" + state: present + local: "{{ local_os_group }}" + become: true + + - name: Add nix splunk user + user: + name: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" + home: "{{ splunk_home }}" + state: present + shell: /bin/bash + local: "{{ local_os_user }}" + become: true + + - name: Allow splunk user to read /var/log + include_tasks: configure_facl.yml + + - name: Configure .bash_profile and .bashrc for splunk user + include_tasks: configure_bash.yml + + when: splunk_nix_user != 'root' + +- name: Configure OS to disable THP and increase ulimits for splunk process + include_tasks: configure_os.yml + +- name: Include download and unarchive task + include_tasks: download_and_unarchive.yml + +- name: Include configure splunk.secret task to standardize splunk.secret + include_tasks: configure_splunk_secret.yml + when: splunk_configure_secret + +- name: Include configure deployment client task + include_tasks: configure_deploymentclient.yml + when: + - clientName != 'undefined' + - splunk_uri_ds != 'undefined' + +- name: Include configure user-seed task + include_tasks: configure_user-seed.yml + when: + - splunk_admin_password != 'undefined' + +- name: Include configure default authentication.conf for AD authentication and admin role mapping + include_tasks: configure_authentication.yml + when: + - splunk_configure_authentication + - ad_bind_password != 'undefined' + +- name: Include custom management port task + include_tasks: configure_custom_mgmt_port.yml + when: splunkd_port != '8089' + +- name: Include disable management port task + include_tasks: configure_disable_mgmt_port.yml + when: splunk_disable_mgmt_port + +- name: Include accept license task + include_tasks: splunk_license_accept.yml + +- name: Configure Splunk launch before boot + include_tasks: configure_splunk_launch.yml + +- name: Enable boot start + include_tasks: configure_splunk_boot.yml + +- name: Include post-install tasks + include_tasks: post_install.yml From 8553bb840ae4473cc2c7daa19671e3d7ade05d9e Mon Sep 17 00:00:00 2001 From: arcsector <26469747+arcsector@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:21:07 -0800 Subject: [PATCH 2/2] change back line endings --- roles/splunk/tasks/install_splunk.yml | 156 +++++++++++++------------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/roles/splunk/tasks/install_splunk.yml b/roles/splunk/tasks/install_splunk.yml index b415b72c..e70deda1 100644 --- a/roles/splunk/tasks/install_splunk.yml +++ b/roles/splunk/tasks/install_splunk.yml @@ -1,78 +1,78 @@ ---- -# This task should be used for fresh installations of Splunk, refer to upgrade_splunk.yml for upgrades -- name: Install Required Packages - include_tasks: prereqs.yml - -- name: Block for non-root splunk user setup - block: - - name: Add nix splunk group - group: - name: "{{ splunk_nix_group }}" - state: present - local: "{{ local_os_group }}" - become: true - - - name: Add nix splunk user - user: - name: "{{ splunk_nix_user }}" - group: "{{ splunk_nix_group }}" - home: "{{ splunk_home }}" - state: present - shell: /bin/bash - local: "{{ local_os_user }}" - become: true - - - name: Allow splunk user to read /var/log - include_tasks: configure_facl.yml - - - name: Configure .bash_profile and .bashrc for splunk user - include_tasks: configure_bash.yml - - when: splunk_nix_user != 'root' - -- name: Configure OS to disable THP and increase ulimits for splunk process - include_tasks: configure_os.yml - -- name: Include download and unarchive task - include_tasks: download_and_unarchive.yml - -- name: Include configure splunk.secret task to standardize splunk.secret - include_tasks: configure_splunk_secret.yml - when: splunk_configure_secret - -- name: Include configure deployment client task - include_tasks: configure_deploymentclient.yml - when: - - clientName != 'undefined' - - splunk_uri_ds != 'undefined' - -- name: Include configure user-seed task - include_tasks: configure_user-seed.yml - when: - - splunk_admin_password != 'undefined' - -- name: Include configure default authentication.conf for AD authentication and admin role mapping - include_tasks: configure_authentication.yml - when: - - splunk_configure_authentication - - ad_bind_password != 'undefined' - -- name: Include custom management port task - include_tasks: configure_custom_mgmt_port.yml - when: splunkd_port != '8089' - -- name: Include disable management port task - include_tasks: configure_disable_mgmt_port.yml - when: splunk_disable_mgmt_port - -- name: Include accept license task - include_tasks: splunk_license_accept.yml - -- name: Configure Splunk launch before boot - include_tasks: configure_splunk_launch.yml - -- name: Enable boot start - include_tasks: configure_splunk_boot.yml - -- name: Include post-install tasks - include_tasks: post_install.yml +--- +# This task should be used for fresh installations of Splunk, refer to upgrade_splunk.yml for upgrades +- name: Install Required Packages + include_tasks: prereqs.yml + +- name: Block for non-root splunk user setup + block: + - name: Add nix splunk group + group: + name: "{{ splunk_nix_group }}" + state: present + local: "{{ local_os_group }}" + become: true + + - name: Add nix splunk user + user: + name: "{{ splunk_nix_user }}" + group: "{{ splunk_nix_group }}" + home: "{{ splunk_home }}" + state: present + shell: /bin/bash + local: "{{ local_os_user }}" + become: true + + - name: Allow splunk user to read /var/log + include_tasks: configure_facl.yml + + - name: Configure .bash_profile and .bashrc for splunk user + include_tasks: configure_bash.yml + + when: splunk_nix_user != 'root' + +- name: Configure OS to disable THP and increase ulimits for splunk process + include_tasks: configure_os.yml + +- name: Include download and unarchive task + include_tasks: download_and_unarchive.yml + +- name: Include configure splunk.secret task to standardize splunk.secret + include_tasks: configure_splunk_secret.yml + when: splunk_configure_secret + +- name: Include configure deployment client task + include_tasks: configure_deploymentclient.yml + when: + - clientName != 'undefined' + - splunk_uri_ds != 'undefined' + +- name: Include configure user-seed task + include_tasks: configure_user-seed.yml + when: + - splunk_admin_password != 'undefined' + +- name: Include configure default authentication.conf for AD authentication and admin role mapping + include_tasks: configure_authentication.yml + when: + - splunk_configure_authentication + - ad_bind_password != 'undefined' + +- name: Include custom management port task + include_tasks: configure_custom_mgmt_port.yml + when: splunkd_port != '8089' + +- name: Include disable management port task + include_tasks: configure_disable_mgmt_port.yml + when: splunk_disable_mgmt_port + +- name: Include accept license task + include_tasks: splunk_license_accept.yml + +- name: Configure Splunk launch before boot + include_tasks: configure_splunk_launch.yml + +- name: Enable boot start + include_tasks: configure_splunk_boot.yml + +- name: Include post-install tasks + include_tasks: post_install.yml