9/6/2023 0 Comments Restart splunk forwarderThis even applies to our app management code, which can update apps on search heads without modifying existing local/ files that may have been created through actions in Splunk Web. This means that if the system is already in the desired state that Ansible expects, it will not make any changes. Second, ansible-role-for-splunk was designed to be idempotent. If you want to fork this project and change any functionality, you only need to update the code in one place. This means that the project contains minimal code redundancy. Design PhilosophyĪ few different design philosophies have been applied in the development of this project.įirst, ansible-role-for-splunk was designed under the "Don't Repeat Yourself (DRY)" philosophy. For more information about Ansible best practices, checkout our related. This codebase is used by the team internally to manage our deployment, so it has been thoroughly vetted since it was first developed in late 2018. It supports all Splunk deployment roles (Universal Forwarder, Heavy Forwarder, Indexer, Search Head, Deployment Server, Cluster Master, SHC Deployer, DMC, License Master) as well as management of all apps and configurations (via git repositories). Example playbooks and inventory files are also provided to help new Ansible users make the most out of this project.Īnsible-role-for-splunk is used by the team to manage Splunk's corporate deployment of Splunk.Īnsible-role-for-splunk is a single Ansible role for deploying and administering production Splunk deployments. This role can manage Splunk Enterprise and Universal Forwarders that are on Linux-based platforms (CentOS/Redhat/Ubuntu/Amazon Linux/OpenSUSE), as well as deploy configurations from Git repositories. This repository contains Splunk's official Ansible role for performing Splunk administration of remote hosts over SSH. Otherwise Splunk just becomes a lump painting us into a corner.įortunately we are still using init in production, I hope it stays that way.Ansible-role-for-splunk: An Ansible role for Splunk admins I'm hoping I can force a legacy startup until splunk can advise how to install Splunk Enterprise under a specific user and be able to restart Splunk when we need to as that user. Maybe sudo is the answer, but that will be a whole lot of servers to manage, does not fit in with the companies security policy, and getting root password is an absolute pain procedure wise. And if remotely restarting, perhaps a prompt for root password is not being seen, so Splunk cannot restart? Maybe an expect script over ssh a remote solution? but not ideal. So I wonder if systemd is causing a similar issue, as it appears to be forcing the Splunk service to be started as root and not the user that splunk was installed under. Similar issue if someone installs splunk as the default user (splunk), siem user could not start splunk until "chown -R siem:siem /opt/splunk" (These are rpm based systems still using init) This is a common issue for us in production and was caused by others upgrading systems and the way they shutdown and start the services, being none the wiser that this would then cause an issue with the Splunk installation. I say that because a "chown -R siem:siem /opt/splunk" fixed that issue and siem user could restart splunk again. Back when I used init instead it was important to restart splunk as the installation user, siem, otherwise splunk would not start properly, I think because somewhere under the installation tree under /opt/splunk, ownership of a file had changed, (lock file?). If I restart splunkd as my install user (which is called siem), I am prompted for root password, then a message says I have to restart as root using systemctl. I have the Debian package installed at home lab and it seems to use systemd as default now.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |