├── .ansible-lint ├── .github ├── FUNDING.yml └── workflows │ ├── molecule.yml │ └── release.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── molecule └── default │ ├── Dockerfile.j2 │ ├── collections.yml │ ├── converge.yml │ ├── molecule.yml │ ├── prepare.yml │ └── verify.yml ├── requirements.txt ├── tasks ├── install-Debian.yml ├── install-RedHat.yml ├── install-aarch64.yml ├── install-package-manager.yml └── main.yml └── templates ├── deploymentclient.conf.j2 ├── inputs.conf.j2 ├── outputs.conf.j2 ├── splunkd.service.j2 └── user-seed.conf.j2 /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | skip_list: 3 | - '106' 4 | 5 | mock_roles: 6 | - austincloudguru.splunk_forwarder 7 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # These are supported funding model platforms 3 | 4 | github: AustinCloudGuru 5 | -------------------------------------------------------------------------------- /.github/workflows/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Molecule 3 | 'on': 4 | schedule: 5 | - cron: "0 8 * * *" 6 | pull_request: 7 | branches: 8 | - main 9 | push: 10 | paths-ignore: 11 | - '**/README.md' 12 | 13 | defaults: 14 | run: 15 | working-directory: 'ansible-role-splunk-forwarder' 16 | 17 | jobs: 18 | molecule: 19 | name: Molecule 20 | runs-on: ubuntu-latest 21 | strategy: 22 | matrix: 23 | distro: 24 | - ubuntu:20.04 25 | - ubuntu:22.04 26 | - oraclelinux:8 27 | - oraclelinux:9 28 | - amazonlinux:2023 29 | - debian:12 30 | 31 | steps: 32 | - name: Check out the codebase. 33 | uses: actions/checkout@v4 34 | with: 35 | path: 'ansible-role-splunk-forwarder' 36 | 37 | - name: Set up Python 3. 38 | uses: actions/setup-python@v5 39 | with: 40 | python-version: '3.x' 41 | 42 | - name: Install test dependencies. 43 | run: pip3 install -r requirements.txt 44 | 45 | - name: Run Molecule tests. 46 | run: molecule test 47 | env: 48 | PY_COLORS: '1' 49 | ANSIBLE_FORCE_COLOR: '1' 50 | MOLECULE_DISTRO: ${{ matrix.distro }} 51 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | 8 | name: Release 9 | 'on': 10 | push: 11 | branches: 12 | - main 13 | 14 | defaults: 15 | run: 16 | working-directory: 'austincloudguru.splunk-forwarder' 17 | 18 | jobs: 19 | 20 | release: 21 | name: Release 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Check out the codebase. 25 | uses: actions/checkout@v4 26 | with: 27 | path: 'austincloudguru.splunk-forwarder' 28 | 29 | - name: Set up Python 3. 30 | uses: actions/setup-python@v5 31 | with: 32 | python-version: '3.x' 33 | 34 | - name: Bump version and push tag 35 | if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} 36 | id: tag_version 37 | uses: mathieudutour/github-tag-action@v6.2 38 | with: 39 | github_token: ${{ secrets.GITHUB_TOKEN }} 40 | 41 | - name: Install Ansible. 42 | run: pip3 install -r requirements.txt 43 | 44 | - name: Trigger a new import on Galaxy. 45 | run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) 46 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | .idea/ 3 | molecule/default/tests/__pycache__/ 4 | .cache/ 5 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: v4.0.1 5 | hooks: 6 | - id: check-merge-conflict 7 | - id: end-of-file-fixer 8 | - id: check-yaml 9 | - id: check-json 10 | - repo: https://github.com/ansible/ansible-lint.git 11 | rev: v6.0.0 12 | hooks: 13 | - id: ansible-lint 14 | files: \.(yaml|yml)$ 15 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | rules: 4 | braces: 5 | max-spaces-inside: 1 6 | level: error 7 | brackets: 8 | max-spaces-inside: 1 9 | level: error 10 | line-length: disable 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Mark Honomichl 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Ansible Role: splunk-forwarder 2 | ========= 3 | [![Molecule](https://github.com/austincloudguru/ansible-role-splunk-forwarder/workflows/Molecule/badge.svg)](https://github.com/austincloudguru/ansible-role-splunk-forwarder/actions?query=workflow%3AMolecule) 4 | ![Latest Version](https://img.shields.io/github/v/tag/austincloudguru/ansible-role-splunk-forwarder?sort=semver&label=Latest%20Version) 5 | [![License](https://img.shields.io/github/license/austincloudguru/ansible-role-splunk-forwarder)](https://github.com/austincloudguru/ansible-role-splunk-forwarder/blob/master/LICENSE) 6 | 7 | This role will deploy the Splunk universal forwarder. 8 | 9 | Requirements 10 | ------------ 11 | 12 | This role is tested on Ubuntu 22.04 & 20.04, Oracle Linux 8 & 9, AmazonLinux 2023, and Debian 12 but should probably work on any systemd based system. The previous version of this role is available as a tag (v1.0) 13 | 14 | 15 | Role Variables 16 | -------------- 17 | 18 | ### Default 19 | 20 | For most people, the default variables that are set should be fine, but there are use cases for changing them. They are: 21 | 22 | 23 | splunk_forwarder_user # Default User (splunk) 24 | splunk_forwarder_group # Default Group (splunk) 25 | splunk_forwarder_uid # Default UID (10011) 26 | splunk_forwarder_gid # Default GID (10011) 27 | splunk_release # Default Release Version (7.1.3) 28 | splunk_url # Default Download URL 29 | splunk_forwarder_rpm # Default Splunk RPM Name 30 | splunk_forwarder_deb # Default Splunk Deb Name 31 | splunk_rpm # Default RPM Full URL 32 | splunk_deb # Default Deb Full URL 33 | splunk_deb_checksum # Default Deb Checksum 34 | splunk_rpm_checksum # Default RPM Checksum 35 | splunk_forwarder_input_blacklist # Default blacklist for inputs.conf 36 | splunk_forwarder_manage_inputs # Default whether to manage inputs.conf (true) 37 | splunk_forwarder_manage_ouputs # Default whether to manage ouputs.conf (true) 38 | splunk_forwarder_install_with_package_manager # Default whether to use a package manager (false) 39 | splunk_forwarder_packages # Default package manager packages ([splunkforwarder]) 40 | splunk_forwarder_cpu_shares # Default CPUShares for the systemd startup file 41 | splunk_forwarder_memory_limits # Default MemoryLimit for the systemd startup file 42 | 43 | ### Playbook Variables 44 | 45 | Within your playbook, you should set the following variables: 46 | 47 | splunk_forwarder_admin_user: # Set the administrative user for the forwarder 48 | splunk_forwarder_admin_pass: # Set the administrative password for the forwarder 49 | splunk_forwarder_depl_server: # Set to the URL:Port of your splunk deployment server i.e. "splunk-mgt:8089" (optional) 50 | splunk_forwarder_indexer: # Set to the URL:PORT of your splunk indexer i.e. "splunk-indexer:9997" 51 | splunk_forwarder_index: # Set to the index that the forwarder should use i.e. "default" 52 | splunk_forwarder_sourcetype: # Set the Source type i.e. "nginx" 53 | 54 | You also need to set what logs to forward. You can do so using a list: 55 | 56 | splunk_forwarder_logs: 57 | - /var/log/nginx/access.log 58 | - /var/log/nginx/error.log 59 | 60 | Dependencies 61 | ------------ 62 | 63 | You must have a splunk indexer running in your environment. 64 | 65 | Example Playbook 66 | ---------------- 67 | 68 | You should define the required variables in your playbook and call the role: 69 | 70 | - hosts: nginx 71 | remote_user: ec2-user 72 | become: True 73 | vars: 74 | splunk_forwarder_indexer: "splunk-indexer:9997" 75 | splunk_forwarder_index: "prodapps" 76 | splunk_forwarder_sourcetype: "nginx" 77 | splunk_forwarder_logs: 78 | - /var/log/nginx/access.log 79 | - /var/log/nginx/error.log 80 | roles: 81 | - splunk-forwarder 82 | 83 | If you want to run this against an AmazonLinux instances, add the following to your playbook, otherwise it will fail.: 84 | 85 | pre_tasks: 86 | - set_fact: ansible_distribution_major_version=6 87 | when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" 88 | 89 | 90 | License 91 | ------- 92 | 93 | MIT 94 | 95 | 96 | Author Information 97 | ------------------ 98 | 99 | Mark Honomichl aka [AustinCloudGuru](https://austincloud.guru) 100 | Created in 2016 101 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | splunk_forwarder_user: "splunkfwd" 3 | splunk_forwarder_group: "splunkfwd" 4 | splunk_forwarder_uid: "10011" 5 | splunk_forwarder_gid: "10011" 6 | splunk_release: "9.2.1" 7 | splunk_url: "https://download.splunk.com/products/universalforwarder/releases/{{ splunk_release }}/linux" 8 | splunk_forwarder_rpm: "splunkforwarder-9.2.1-78803f08aabb.x86_64.rpm" 9 | splunk_forwarder_deb: "splunkforwarder-9.2.1-78803f08aabb-linux-2.6-amd64.deb" 10 | splunk_forwarder_arm: "splunkforwarder-9.2.1-78803f08aabb-Linux-armv8.tgz" 11 | splunk_rpm: "{{ splunk_url }}/{{ splunk_forwarder_rpm }}" 12 | splunk_deb: "{{ splunk_url }}/{{ splunk_forwarder_deb }}" 13 | splunk_arm: "{{ splunk_url }}/{{ splunk_forwarder_arm }}" 14 | splunk_rpm_checksum: "md5:8666c398b516c978cddfd58b51f09390" 15 | splunk_deb_checksum: "md5:5ee878df96c7ae751748ca3b5c542859" 16 | splunk_arm_checksum: "md5:b3eadde5b34e04d28c2d1ed2de1e3189" 17 | splunk_forwarder_input_blacklist: '\.bz2$' 18 | splunk_forwarder_manage_inputs: true 19 | splunk_forwarder_manage_outputs: true 20 | 21 | # Set the Memory and CPU limts for the Splunk Forwarder 22 | splunk_forwarder_cpu_shares: "1024" 23 | splunk_forwarder_memory_limit: "6192173056" 24 | 25 | # Install splunk forwarder using the package manager instead of direct download of .deb or .rpm 26 | splunk_forwarder_install_with_package_manager: false 27 | splunk_forwarder_packages: 28 | - curl 29 | - splunkforwarder 30 | 31 | # These may be removed at some point, but they are placeholders so I don't forget to set them 32 | splunk_forwarder_indexer: "splunk-indexer:9997" 33 | splunk_forwarder_index: "default" 34 | splunk_forwarder_sourcetype: "nginx" 35 | 36 | splunk_forwarder_logs: [] 37 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Enable Splunk Forwarder 3 | ansible.builtin.service: 4 | name: splunkd 5 | enabled: true 6 | state: started 7 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | role_name: splunk_forwarder 4 | author: Mark Honomichl 5 | description: Installs the Splunk Forwarder 6 | company: AustinCloudGuru 7 | license: MIT 8 | namespace: austincloudguru 9 | min_ansible_version: "2.9" 10 | platforms: 11 | - name: Amazon 12 | versions: 13 | - all 14 | - name: Ubuntu 15 | versions: 16 | - xenial 17 | - bionic 18 | - focal 19 | - name: EL 20 | versions: 21 | - all 22 | galaxy_tags: 23 | - splunk 24 | - splunkforwarder 25 | 26 | dependencies: [] 27 | -------------------------------------------------------------------------------- /molecule/default/Dockerfile.j2: -------------------------------------------------------------------------------- 1 | # Molecule managed 2 | 3 | {% if item.registry is defined %} 4 | FROM {{ item.registry.url }}/{{ item.image }} 5 | {% else %} 6 | FROM {{ item.image }} 7 | {% endif %} 8 | 9 | RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y acl sudo bash ca-certificates rsyslog postfix iproute2 systemd unzip xz-utils && apt-get clean; \ 10 | elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python3 sudo python3-devel python3-dnf bash systemd systemd-libs initscripts acl unzip gzip tar && dnf clean all; \ 11 | elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python shadow-utils acl openssh-server systemd systemd-libs initscripts sudo unzip gzip tar yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ 12 | elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ 13 | elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ 14 | elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi 15 | -------------------------------------------------------------------------------- /molecule/default/collections.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - name: ansible.posix 4 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | vars: 5 | splunk_forwarder_logs: 6 | - /var/log/nginx/access.log 7 | - /var/log/nginx/error.log 8 | roles: 9 | - role: austincloudguru.splunk_forwarder 10 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | options: 5 | ignore-certs: true 6 | ignore-errors: true 7 | requirements-file: collections.yml 8 | driver: 9 | name: podman 10 | lint: | 11 | set -e 12 | yamllint . 13 | ansible-lint 14 | platforms: 15 | - name: instance 16 | image: ${MOLECULE_DISTRO:-amazonlinux} 17 | privileged: true 18 | volumes: 19 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 20 | command: /lib/systemd/systemd 21 | platform: amd64 22 | # platform: arm64v8 23 | provisioner: 24 | name: ansible 25 | verifier: 26 | name: ansible 27 | -------------------------------------------------------------------------------- /molecule/default/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare instance for role execution 3 | hosts: all 4 | become: true 5 | tasks: 6 | - name: Create Nginx Directory 7 | ansible.builtin.file: 8 | path: /var/log/nginx 9 | state: directory 10 | owner: root 11 | group: sys 12 | mode: 0775 13 | - name: Create Files 14 | ansible.builtin.file: 15 | path: /var/log/nginx/access.log 16 | state: touch 17 | owner: root 18 | group: sys 19 | mode: 0775 20 | - name: Create Files 21 | ansible.builtin.file: 22 | path: /var/log/nginx/error.log 23 | state: touch 24 | owner: root 25 | group: sys 26 | mode: 0775 27 | -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Verify 3 | hosts: all 4 | gather_facts: false 5 | vars: 6 | service_name: splunkd.service 7 | vars_files: 8 | - "../../defaults/main.yml" 9 | tasks: 10 | - name: Get the Groups 11 | ansible.builtin.getent: 12 | database: group 13 | 14 | - name: Get the Users 15 | ansible.builtin.getent: 16 | database: passwd 17 | 18 | - name: Assert Results 19 | ansible.builtin.assert: 20 | that: 21 | - getent_passwd.splunkfwd is defined 22 | - getent_group.splunkfwd is defined 23 | quiet: true 24 | 25 | - name: Verify inputs.conf 26 | ansible.builtin.shell: | 27 | set -o pipefail 28 | grep 'bz2' /opt/splunkforwarder/etc/system/local/inputs.conf 29 | args: 30 | executable: /bin/bash 31 | register: config_settings 32 | failed_when: config_settings.rc != 0 33 | changed_when: config_settings.rc != 0 34 | 35 | - name: Gather service facts 36 | ansible.builtin.service_facts: 37 | 38 | - name: Print service facts 39 | ansible.builtin.debug: 40 | var: ansible_facts.services["{{ service_name }}"] 41 | 42 | - name: Assert splunkforwarder is running 43 | ansible.builtin.assert: 44 | that: ansible_facts.services["{{ service_name }}"]["state"] == "running" 45 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ansible==9.4.0 2 | ansible-compat==4.1.11 3 | ansible-core==2.16.5 4 | ansible-lint==24.2.1 5 | attrs==23.2.0 6 | black==24.3.0 7 | bracex==2.4 8 | certifi==2024.2.2 9 | cffi==1.16.0 10 | charset-normalizer==3.3.2 11 | click==8.1.7 12 | click-help-colors==0.9.4 13 | cryptography==42.0.5 14 | enrich==1.2.7 15 | filelock==3.13.3 16 | flake8==7.0.0 17 | idna==3.6 18 | Jinja2==3.1.3 19 | jsonschema==4.21.1 20 | jsonschema-specifications==2023.12.1 21 | markdown-it-py==3.0.0 22 | MarkupSafe==2.1.5 23 | mccabe==0.7.0 24 | mdurl==0.1.2 25 | molecule==24.2.0 26 | molecule-plugins==23.5.3 27 | mypy-extensions==1.0.0 28 | packaging==24.0 29 | pathspec==0.12.1 30 | platformdirs==4.2.0 31 | pluggy==1.4.0 32 | podman==5.0.0 33 | pycodestyle==2.11.1 34 | pycparser==2.22 35 | pyflakes==3.2.0 36 | Pygments==2.17.2 37 | pyxdg==0.28 38 | PyYAML==6.0.1 39 | referencing==0.34.0 40 | requests==2.31.0 41 | resolvelib==1.0.1 42 | rich==13.7.1 43 | rpds-py==0.18.0 44 | ruamel.yaml==0.18.6 45 | ruamel.yaml.clib==0.2.8 46 | subprocess-tee==0.4.1 47 | urllib3==2.2.1 48 | wcmatch==8.5.1 49 | yamllint==1.35.1 50 | -------------------------------------------------------------------------------- /tasks/install-Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download the Splunk package (Debian/Ubuntu) 3 | ansible.builtin.get_url: 4 | url: "{{ splunk_deb }}" 5 | dest: "/tmp/{{ splunk_forwarder_deb }}" 6 | checksum: "{{ splunk_deb_checksum }}" 7 | mode: 0664 8 | 9 | - name: Install Splunk (Debian/Ubuntu) 10 | ansible.builtin.apt: 11 | deb: "/tmp/{{ splunk_forwarder_deb }}" 12 | state: present 13 | -------------------------------------------------------------------------------- /tasks/install-RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download the Splunk package (Enterprise Linux) 3 | ansible.builtin.get_url: 4 | url: "{{ splunk_rpm }}" 5 | dest: "/tmp/{{ splunk_forwarder_rpm }}" 6 | checksum: "{{ splunk_rpm_checksum }}" 7 | mode: 0664 8 | 9 | - name: Install Splunk (python2 yum) 10 | ansible.builtin.yum: 11 | name: "/tmp/{{ splunk_forwarder_rpm }}" 12 | state: present 13 | when: ansible_facts.python.version.major | int < 3 14 | 15 | - name: Install Splunk (python3 dnf) 16 | ansible.builtin.dnf: 17 | name: "/tmp/{{ splunk_forwarder_rpm }}" 18 | disable_gpg_check: true 19 | state: present 20 | when: ansible_facts.python.version.major | int >= 3 21 | -------------------------------------------------------------------------------- /tasks/install-aarch64.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check Version Installed 3 | ansible.builtin.shell: | 4 | set -o pipefail 5 | if [ -f /opt/splunkforwarder/bin/splunk ]; then 6 | /opt/splunkforwarder/bin/splunk -version |tail -1 |cut -d ' ' -f 4 7 | fi 8 | args: 9 | executable: /bin/bash 10 | register: splunk_version_check 11 | changed_when: splunk_version_check.stdout != splunk_release 12 | 13 | - name: Install the Splunk Package 14 | ansible.builtin.unarchive: 15 | src: "{{ splunk_arm }}" 16 | dest: "/opt" 17 | remote_src: true 18 | owner: "{{ splunk_forwarder_user }}" 19 | group: "{{ splunk_forwarder_group }}" 20 | mode: 0755 21 | when: splunk_version_check.stdout != splunk_release 22 | -------------------------------------------------------------------------------- /tasks/install-package-manager.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure Splunk Forwarder using APT package manager 3 | ansible.builtin.apt: 4 | name: "{{ splunk_forwarder_packages }}" 5 | state: present 6 | when: ansible_facts.os_family == 'Debian' 7 | 8 | - name: Ensure Splunk Forwarder using DNF package manager 9 | ansible.builtin.dnf: 10 | name: "{{ splunk_forwarder_packages }}" 11 | disable_gpg_check: true 12 | state: present 13 | when: ansible_facts.os_family == 'RedHat' 14 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Splunk group 3 | ansible.builtin.group: 4 | name: "{{ splunk_forwarder_group }}" 5 | gid: "{{ splunk_forwarder_gid }}" 6 | state: present 7 | tags: splunk_user 8 | 9 | - name: Create Splunk user 10 | ansible.builtin.user: 11 | name: "{{ splunk_forwarder_user }}" 12 | group: "{{ splunk_forwarder_group }}" 13 | uid: "{{ splunk_forwarder_uid }}" 14 | state: present 15 | tags: splunk_user 16 | 17 | - name: Install Splunk from package manager (Satellite, etc) 18 | ansible.builtin.include_tasks: install-package-manager.yml 19 | when: splunk_forwarder_install_with_package_manager | bool 20 | 21 | - name: Install Splunk from Downloaded Packages for x86_64 22 | ansible.builtin.include_tasks: install-{{ ansible_os_family }}.yml 23 | when: 24 | - not splunk_forwarder_install_with_package_manager | bool 25 | - ansible_architecture != "aarch64" 26 | 27 | - name: Install Splunk on Linux Based Arm Based Systems 28 | ansible.builtin.include_tasks: install-{{ ansible_architecture }}.yml 29 | when: 30 | - not splunk_forwarder_install_with_package_manager | bool 31 | - ansible_system == "Linux" and ansible_architecture == "aarch64" 32 | 33 | - name: Copy user seeds file 34 | ansible.builtin.template: 35 | src: user-seed.conf.j2 36 | dest: /opt/splunkforwarder/etc/system/local/user-seed.conf 37 | mode: 0664 38 | backup: true 39 | when: splunk_forwarder_admin_user is defined and splunk_forwarder_admin_pass is defined 40 | tags: config_copy 41 | 42 | - name: Copy deploymentclient file 43 | ansible.builtin.template: 44 | src: deploymentclient.conf.j2 45 | dest: /opt/splunkforwarder/etc/system/local/deploymentclient.conf 46 | mode: 0664 47 | backup: true 48 | when: splunk_forwarder_depl_server is defined 49 | tags: config_copy 50 | 51 | - name: Copy inputs file 52 | ansible.builtin.template: 53 | src: inputs.conf.j2 54 | dest: /opt/splunkforwarder/etc/system/local/inputs.conf 55 | mode: 0664 56 | backup: true 57 | when: splunk_forwarder_manage_inputs 58 | tags: config_copy 59 | 60 | - name: Copy outputs file 61 | ansible.builtin.template: 62 | src: outputs.conf.j2 63 | dest: /opt/splunkforwarder/etc/system/local/outputs.conf 64 | mode: 0664 65 | backup: true 66 | when: splunk_forwarder_manage_outputs 67 | tags: config_copy 68 | 69 | - name: Set logfile permissions 70 | ansible.posix.acl: 71 | path: "{{ item }}" 72 | entity: "{{ splunk_forwarder_user }}" 73 | state: present 74 | etype: user 75 | permissions: r 76 | recursive: true 77 | become: true 78 | with_items: "{{ splunk_forwarder_logs }}" 79 | 80 | - name: Upload Splunk Systemd Script 81 | ansible.builtin.template: 82 | src: splunkd.service.j2 83 | dest: /etc/systemd/system/splunkd.service 84 | owner: root 85 | group: root 86 | mode: 0644 87 | notify: Enable Splunk Forwarder 88 | when: ansible_service_mgr == 'systemd' 89 | -------------------------------------------------------------------------------- /templates/deploymentclient.conf.j2: -------------------------------------------------------------------------------- 1 | [target-broker:deploymentServer] 2 | targetUri = {{ splunk_forwarder_depl_server }} 3 | -------------------------------------------------------------------------------- /templates/inputs.conf.j2: -------------------------------------------------------------------------------- 1 | # 2 | # This file is maintained by ansible 3 | # Any local changes will be reverted. 4 | ### 5 | [default] 6 | index = {{ splunk_forwarder_index }} 7 | 8 | blacklist = {{ splunk_forwarder_input_blacklist }} 9 | ignoreOlderThan = 7d 10 | sourcetype = {{ splunk_forwarder_sourcetype }} 11 | 12 | {% for input_src in splunk_forwarder_logs %} 13 | [monitor://{{ input_src }}] 14 | {% endfor %} 15 | -------------------------------------------------------------------------------- /templates/outputs.conf.j2: -------------------------------------------------------------------------------- 1 | [tcpout] 2 | defaultGroup = splunk 3 | disabled = false 4 | 5 | [tcpout:splunk] 6 | server = {{ splunk_forwarder_indexer }} 7 | 8 | [tcpout-server://{{ splunk_forwarder_indexer }}] 9 | -------------------------------------------------------------------------------- /templates/splunkd.service.j2: -------------------------------------------------------------------------------- 1 | # 2 | # {{ ansible_managed }} 3 | # 4 | [Unit] 5 | Description=Systemd service file for Splunk 6 | After=network-online.target 7 | Wants=network-online.target 8 | 9 | [Service] 10 | Type=simple 11 | Restart=always 12 | ExecStart=/opt/splunkforwarder/bin/splunk _internal_launch_under_systemd --accept-license --no-prompt --answer-yes 13 | KillMode=mixed 14 | KillSignal=SIGINT 15 | TimeoutStopSec=360 16 | LimitNOFILE=65536 17 | LimitRTPRIO=99 18 | SuccessExitStatus=51 52 19 | RestartPreventExitStatus=51 20 | RestartForceExitStatus=52 21 | User={{ splunk_forwarder_user }} 22 | Group={{ splunk_forwarder_group }} 23 | NoNewPrivileges=yes 24 | AmbientCapabilities=CAP_DAC_READ_SEARCH 25 | ExecStartPre=-/bin/bash -c "chown -R {{ splunk_forwarder_user }}:{{ splunk_forwarder_group }} /opt/splunkforwarder" 26 | Delegate=true 27 | CPUShares={{ splunk_forwarder_cpu_shares }} 28 | MemoryLimit={{ splunk_forwarder_memory_limit }} 29 | PermissionsStartOnly=true 30 | ExecStartPost=-/bin/bash -c "chown -R {{ splunk_forwarder_user }}:{{ splunk_forwarder_group }} /sys/fs/cgroup/system.slice/%n" 31 | 32 | [Install] 33 | WantedBy=multi-user.target 34 | -------------------------------------------------------------------------------- /templates/user-seed.conf.j2: -------------------------------------------------------------------------------- 1 | [user_info] 2 | USERNAME = {{ splunk_forwarder_admin_user }} 3 | PASSWORD = {{ splunk_forwarder_admin_pass }} 4 | --------------------------------------------------------------------------------