6 |
7 | The solution utilizes various third-party technologies/services along with F5’s automation toolchain including:
8 |
9 | - **Hashicorp Terraform** and **Consul** for infrastructure provisioning, service discovery and event logging
10 | - **F5 BIG-IP(s)** providing L4/L7 ADC Services
11 | - **F5 Declarative Onboarding**, (DO) and **Application Services 3 Extension**, (AS3) to deploy to configure BIG-IP application services
12 | - **F5 Telemetry Streaming**, (TS) to stream telemetry data to a third party analytics provider
13 | - **GitHub Actions** for workflow automation
14 | - **Azure or AWS** public clouds for application hosting
15 | - **Third-party Analytics Provider**, (integrated with BIG-IP(s) via TS) for monitoring and alerting, (environment includes and ELK stack trial for testing/demo purposes)
16 |
17 |
18 | ### GitHub Secrets
19 | Create the following [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets). The secrets will be utilized by the actions workflow to securely update the deployment. Depending upon which cloud you deploy into, you will need to provide either an [AWS access key and corresponding secret](https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/) or [Azure service prinicipal credentials](https://github.com/marketplace/actions/azure-login) as well as a [GitHub acces token](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) for your repository.
20 |
21 |
22 | #### Required for all deployments
23 | - GH_TOKEN - *ex: ghp_mkqCzxBci0Sl3.......rY
24 |
25 | #### Required for AWS deployments
26 | - AWS_ACCESS_KEY_ID - *ex: AKIATXXXXXXXXXXXXXXX
27 | - AWS_SECRET_ACCESS_KEY - *ex: kkLeijGuHYXXXXXXXXXXXXXXXXXXXXXXXXX
28 |
29 | #### Required for Azure deployments
30 | - AZURE_CLIENT_ID - *ex: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
31 | - AZURE_CLIENT_SECRET - *ex: XXXXXXXXXXXXXXXXXXXXXXXXXXX
32 | - AZURE_SUBSCRIPTION_ID - *ex: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
33 | - AZURE_TENANT_ID - *ex: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
34 | - AZURE_CREDS - Comination of the above in JSON format - *ex: {"clientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "clientSecret": "XXXXXXXXXXXXXXXXXXXXXXXX", "subscriptionId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "tenantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"}*
35 |
36 | ### Terraform Variables
37 |
38 | The following variables, (*located in ./terraform/terraform.tfvars*) should be modified as necessary.
39 |
40 | - location *(**Azure Deployments only**)* = The Azure region where the application infrastructure will be deployed - *default: "eastus"*
41 | - region *(**AWS Deployments only**)* = The AWS region where the application infrastructure will be deployed - *ex: "us-west-1"*
42 | - github_owner = Github Account hosting the repository - *ex: "f5devcentral"*
43 | - repo_path = - *ex: "/repos/f5devcentral/adc-telemetry-based-autoscaling/dispatches"*
44 | - github_token = - *ex: "ghp_mkqCzxBci0Sl3.......rY"
45 | - bigip_count = - *default: 1*
46 | - workload_count = - *default: 2*
47 | - bigip_min = - *default: 1*
48 | - bigip_max = - *default: 5*
49 | - workload_min = - *default: 2*
50 | - workload_max = - *default: 5*
51 | - scale_interval = Interval, (in seconds) between scaling events. Alerts fired within interval setting will fail. - *default: 300*
52 | - ts_consumer = The analytics consumer connecting to (*1 = splunk 2 = elk 3 = azure log analytics - default: 1*)
53 | - splunkIP = Optional - IP address of Splunk Enterprise. TS declaration assumes HEC listening on default port of **8088** and using HTTPS
54 | - splunkHEC = Optional - Splunk HEC token
55 | - logStashIP = Optional - IP address of Logstash service. TS declaration assumes logstash listening on default port of **8080** and using HTTP
56 | - law_id = Optional - Azure log analytics workspace ID
57 | - law_primarykey = Optional - Azure log analytics workspace primary key
58 | - ec2_key_name *(**AWS Deployments only**)* = Name of an existing AWS [key pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) - *ex: "glckey"*
59 |
60 | In addition to the above variables, the solution derives and sets two key local values, (hostname & app_id). The app_id is randomly generated and unique to the deployment. The hostname is assigned to all BIG-IP instances in the cluster with a format of - "*bigip.
76 |
77 |
78 | ### The AlertForwarder service
79 | The AlertForwwarder (AF) is a simple NodeJS service that is deployed on the Consul virtual machine instance as part of the application infrastructure. The service's sole purpose is to receive alerts; (webhooks) from the analytics vendor, (currently Splunk, ELK, and/or Azure Log Analytics), normalize the webhook payload, and securely proxy the call to trigger the GitHub action workflow.
80 |
81 | The AF service exposes a single endpoint, (*https://Application ${app_id} Scaling Operations Status
"; 135 | echo ""; 136 | echo(date("m-d-Y H:i:s",\$t)); 137 | echo "
"; 138 | \$url1 = array("Scaling operation active? " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/is_running?raw"); 139 | \$url2 = array("Current backend workload count: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/workload/current_count?raw"); 140 | \$url3 = array("Last workload scaling event timestamp: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/workload/last_modified_timestamp?raw"); 141 | \$url4 = array("Current BIG-IP cluster count: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/bigip/current_count?raw"); 142 | \$url5 = array("Last BIG-IP scaling event timestamp" => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/bigip/last_modified_timestamp?raw"); 143 | 144 | \$urls = array_merge(\$url1, \$url2, \$url3, \$url4, \$url5); 145 | \$array_length = count(\$urls); 146 | \$ch = curl_init(); 147 | echo "
| ";
148 | foreach (\$urls as \$x => \$x_value)
149 | {
150 | echo " " . \$x; 151 | \$headers = []; 152 | \$headers[] = 'X-Consul-Token: 6ae6afa6-a8f3-06ba-b960-515c7963d23a'; 153 | curl_setopt(\$ch, CURLOPT_HTTPHEADER, \$headers); 154 | curl_setopt(\$ch, CURLOPT_URL, \$x_value); 155 | curl_setopt(\$ch, CURLOPT_HEADER, false); 156 | curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, false); 157 | curl_setopt(\$ch, CURLOPT_VERBOSE, true); 158 | 159 | echo " "; 160 | 161 | curl_exec(\$ch); 162 | } 163 | echo " |
Application ${app_id} Scaling Operations Status
"; 135 | echo ""; 136 | echo(date("m-d-Y H:i:s",\$t)); 137 | echo "
"; 138 | \$url1 = array("Scaling operation active? " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/is_running?raw"); 139 | \$url2 = array("Current backend workload count: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/workload/current_count?raw"); 140 | \$url3 = array("Last workload scaling event timestamp: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/workload/last_modified_timestamp?raw"); 141 | \$url4 = array("Current BIG-IP cluster count: " => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/bigip/current_count?raw"); 142 | \$url5 = array("Last BIG-IP scaling event timestamp" => "http://${consul_ip}:8500/v1/kv/adpm/applications/${app_id}/scaling/bigip/last_modified_timestamp?raw"); 143 | 144 | \$urls = array_merge(\$url1, \$url2, \$url3, \$url4, \$url5); 145 | \$array_length = count(\$urls); 146 | \$ch = curl_init(); 147 | echo "
| ";
148 | foreach (\$urls as \$x => \$x_value)
149 | {
150 | echo " " . \$x; 151 | \$headers = []; 152 | \$headers[] = 'X-Consul-Token: 6ae6afa6-a8f3-06ba-b960-515c7963d23a'; 153 | curl_setopt(\$ch, CURLOPT_HTTPHEADER, \$headers); 154 | curl_setopt(\$ch, CURLOPT_URL, \$x_value); 155 | curl_setopt(\$ch, CURLOPT_HEADER, false); 156 | curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, false); 157 | curl_setopt(\$ch, CURLOPT_VERBOSE, true); 158 | 159 | echo " "; 160 | 161 | curl_exec(\$ch); 162 | } 163 | echo " |
18 |
19 | 3. On the *Create Index Pattern* screen enter ``f5-*`` for the index pattern name. As the example below illustrates, you should see
20 | several indexes listed below. As telemetry data is streamed from the BIG-IP(s) to the ELK stack, (via Logstash - the '*L*' in ELK)
21 | it is assigned an index with a pattern of **f5-%{+YYYY.MM.dd.hh.mm}**. Click '*Next Step*' to continue.
22 |
23 | 
24 |
25 | 4. Select **@timestamp** from the drop-down list for the '*Time Field*'. Select '*Create index pattern*' to complete the process.
26 |
27 | 
28 |
29 |
30 | **Create Watcher Alerts**
31 | --------------------------------------
32 |
33 | You will be using Elastic Watcher to monitor telemetry data and provide alert notifications. While still in the *Stack Management*
34 | submenu navigate to and select '*Watcher*', (see above). From the center panel select '*Create*' and then '*Create threshold alert*'.
35 |
36 | 
37 |
38 | For this solution create a total of four (4) alerts. These alerts will monitor and respond to increases/decreases in BIG-IP CPU
39 | utilization and current application connections. In the event a member BIG-IP's CPU utilization exceeds or falls below the specified thresholds during the specified interval, an alert will fire triggering a webhook call to the *alertForwarder* service.
40 | The alertForwarder will subsequently post a BIG-IP scaling request to the central processor, (utilizing the repo's **GitHub Actions**).
41 |
42 | Likewise, if current connections fall outside of the specified thresholds a similar alert will be fired. However, rather than
43 | scaling BIG-IP instances, this will trigger a scaling (up/down) of the backend application workloads, (*solution example: NGINX*). Use the screenshot example below to create the first alert, (*MaxCpuAlert*).
44 |
45 | #. Provide a name, select the previously created index pattern of ``f5-*``, timestamp and timing parameters as shown below. Under
46 | conditions section select **Max()**, **myMaxCpu**, **top 1**, **hostname.keyword**, **5000** and **5 minutes** as shown below.
47 |
48 | **Note:** You should see a green line of the displayed chart that represents the selected field's, (*myMaxCpu*) value trend.
49 | This will aid you in setting threshold values appropriately to ensure scaling events are triggered. With that said, the lab
50 | environment has been configured with hard limits of (3) BIG-IP instances and (3) workload instances to ensure availability of
51 | resources for all students. Additionally, the ADPM processor is designed to throttle requests and prevent superfluous "over-scaling". Requests that are triggered but not fullfilled, (along with successful requests) are logged on your environment's Consul server.
52 |
53 | 
54 |
55 | #. In the *Actions* section select '*Add action*'. From the menu pop-up select '*Webhook*', (see below).
56 |
57 | 
58 |
59 | #. Use the below example to complete the webhook section. When you are done select '*Create alert*'. Specifiy ``alertforwarder.f5demo.net`` for the Host. For the webhook body
60 | enter ``{"source": "elk", "scaleAction":"scaleOutBigip", "message": "{{ctx.payload}}"}``. The *alertForwarder* service is expecting the JSON formatted
61 | payload and will parse according to source. The *alertForwarder* call the central processer, (via webhook) to trigger scaling.
62 |
63 | 
64 |
65 | #. Use the table and example images below to create three additional alerts. Entries not noted in the table below are identical
66 | across alerts.
67 |
68 | .. list-table::
69 | :widths: 10 10 20 40 20 60 80
70 | :header-rows: 1
71 | :stub-columns: 1
72 |
73 | * - **Name**
74 | - **WHEN**
75 | - **OF**
76 | - **GROUPED OVER**
77 | - **IS**
78 | - **LAST**
79 | - **Webhook body**
80 | * - MinCpuAlert
81 | - max()
82 | - myCurCons
83 | - top 1 of hostname.keyword
84 | - BELOW 1000
85 | - 5 minutes
86 | - ``{"source": "elk", "scaleAction":"scaleInBigip", "message": "{{ctx.payload}}"}``
87 | * - MinConnsAlert
88 | - max()
89 | - myCurCons
90 | - top 1 of hostname.keyword
91 | - BELOW 50
92 | - 5 minutes
93 | - ``{"source": "elk", "scaleAction":"scaleInWorkload", "message": "{{ctx.payload}}"}``
94 | * - MaxConnsAlert
95 | - max()
96 | - myCurCons
97 | - top 1 of hostname.keyword
98 | - ABOVE 500
99 | - 5 minutes
100 | - ``{"source": "elk", "scaleAction":"scaleOutWorkload", "message": "{{ctx.payload}}"}``
101 |
102 | 
103 |
104 | Below is an example of a completed Watcher screen. TS logs are streamed in 60-second intervals. Depending upon how you set
105 | your thresholds, you may already have alerts firing. The Watcher screen provides one way to monitor alert events.
106 |
107 | 
108 |
109 |
--------------------------------------------------------------------------------
/ts_consumers/elastic/elk.tf:
--------------------------------------------------------------------------------
1 | resource "azurerm_public_ip" "elk_public_ip" {
2 | name = "pip-mgmt-elk"
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.rg.name
5 | allocation_method = "Static" # Static is required due to the use of the Standard sku
6 | tags = {
7 | Name = "pip-mgmt-elk"
8 | source = "terraform"
9 | }
10 | }
11 |
12 | data "azurerm_public_ip" "elk_public_ip" {
13 | name = azurerm_public_ip.elk_public_ip.name
14 | resource_group_name = azurerm_resource_group.rg.name
15 | }
16 |
17 | resource "azurerm_network_interface" "elkvm-ext-nic" {
18 | name = "${local.app_id}-elkvm-ext-nic"
19 | location = var.location
20 | resource_group_name = azurerm_resource_group.rg.name
21 | ip_configuration {
22 | name = "primary"
23 | subnet_id = data.azurerm_subnet.mgmt.id
24 | private_ip_address_allocation = "Static"
25 | private_ip_address = "10.2.1.125"
26 | primary = true
27 | public_ip_address_id = azurerm_public_ip.elk_public_ip.id
28 | }
29 |
30 | tags = {
31 | Name = "${local.app_id}-elkvm-ext-int"
32 | application = "elkserver"
33 | tag_name = "Env"
34 | value = "elk"
35 | }
36 | }
37 |
38 | resource "azurerm_virtual_machine" "elkvm" {
39 | name = "elkvm"
40 | location = var.location
41 | resource_group_name = azurerm_resource_group.rg.name
42 | network_interface_ids = [azurerm_network_interface.elkvm-ext-nic.id]
43 | vm_size = "Standard_DS3_v2"
44 |
45 | # Uncomment this line to delete the OS disk automatically when deleting the VM
46 | delete_os_disk_on_termination = true
47 |
48 | # Uncomment this line to delete the data disks automatically when deleting the VM
49 | delete_data_disks_on_termination = true
50 |
51 | storage_os_disk {
52 | name = "elkvmOsDisk"
53 | caching = "ReadWrite"
54 | create_option = "FromImage"
55 | managed_disk_type = "Premium_LRS"
56 | }
57 |
58 | storage_image_reference {
59 | publisher = "Canonical"
60 | offer = "UbuntuServer"
61 | sku = "16.04.0-LTS"
62 | version = "latest"
63 | }
64 |
65 | os_profile {
66 | computer_name = "elkvm"
67 | admin_username = "elkuser"
68 | admin_password = var.upassword
69 | custom_data = file("../scripts/elk.sh")
70 |
71 | }
72 |
73 | os_profile_linux_config {
74 | disable_password_authentication = false
75 | }
76 |
77 | tags = {
78 | Name = "${local.app_id}-elkvm"
79 | tag_name = "Env"
80 | value = "elk"
81 | propagate_at_launch = true
82 | }
83 |
84 | connection {
85 | type = "ssh"
86 | user = "elkuser"
87 | password = var.upassword
88 | host = data.azurerm_public_ip.elk_public_ip.ip_address
89 | }
90 | }
91 |
92 | output "elk_public_address" {
93 | value = "http://${azurerm_public_ip.elk_public_ip.ip_address}:8000"
94 | }
95 |
--------------------------------------------------------------------------------
/ts_consumers/elastic/logstash.conf:
--------------------------------------------------------------------------------
1 | input {
2 | http {
3 | port => 8080
4 | }
5 | }
6 |
7 | filter {
8 | json {
9 | source => "message"
10 | }
11 |
12 | mutate {
13 | add_field => { "myMaxCpu" =>" %{MaxCpu}"}
14 | add_field => { "myCurCons" =>" %{server_concurrent_conns}"}
15 | }
16 |
17 | mutate {
18 | convert => { "myMaxCpu" => "integer" }
19 | convert => { "myCurCons" => "integer" }
20 | }
21 | }
22 |
23 | output {
24 |
25 | elasticsearch {
26 | hosts => ["https://127.0.0.1:9200"]
27 | user => "elastic"
28 | password => "F5demonet!"
29 | codec => json
30 | index => "f5-%{+YYYY.MM.dd.hh.mm}"
31 | ssl => true
32 | ssl_certificate_verification => false
33 | cacert => "/etc/logstash/elasticsearch-ca.pem"
34 | }
35 | }
--------------------------------------------------------------------------------
/ts_consumers/splunk/README.md:
--------------------------------------------------------------------------------
1 | Configuring Alerts with Splunk Enterprise
2 | ====================================================
3 |
4 | **Installing the Splunk Add-on for F5 BIG-IP and Splunk CIM**
5 | -----------------------------------------------------------
6 |
7 | Installing the Splunk Add-on for F5 BIG-IP is very simple. I will go over the steps below. In order to make use of the add-on I’ll need to install Splunk’s Common Information Model, (CIM) first and here is how to do that.
8 |
9 | 1. From the Splunk Enterprise search page, select ‘Apps’ → ‘Find More Apps’.
10 |
11 | 1. Browse for “CIM” and select the Splunk Common Information Model add-on.
12 |
13 | 1. Accept the license agreement, provide Splunk account login credentials and select ‘Login and Install’.
14 |
15 | 1. Repeat steps 2-3 to install the Splunk Add-on for F5 BIG-IP.
16 |
17 |
18 | **Setup Splunk HTTP Event Collector**
19 | -------------------------------------
20 |
21 | To receive incoming telemetry data into my Splunk Enterprise environment over HTTP/HTTPs, I will need to create an HTTP Event Collector.
22 |
23 | 1. From the Splunk UI select ‘Settings’ → ‘Data Inputs’. Select ‘HTTP Event Collector’ from the input list.
24 |
25 | 1. Prior to creating a new event collector token, I must first enable token access for my Splunk environment. On the ‘HTTP Event Collector’ page, select ‘Global Settings’. I set ‘All Tokens’ to enabled, default index, incoming port and ensure SSL is enabled. Click ‘Save’ to exit.
26 |
27 | 1. Select ‘New Token’ and provide a name for the new collector and select ‘Next’.
28 |
29 | 1. On the ‘Input Settings’ tab select the necessary allowed index(es) and select ‘Review’ then ‘Submit’.
30 |
31 | 1. Once the token is created, copy and save the token information so that it can be used when configuring F5 Telemetry streaming.
32 |
33 | **Create Splunk Alerts**
34 | --------------------------------------
35 |
36 | ### Splunk alert query examples
37 |
38 | **BIG-IP Scaling**
39 | ```
40 | sourcetype="f5:telemetry:json" telemetryEventCategory=AVR MaxCpu>8000 | table hostname |eval source="splunk", scaleAction="scaleOutBigip"
41 | ```
42 | ```
43 | sourcetype="f5:telemetry:json" telemetryEventCategory=AVR MaxCpu<3000 | table hostname |eval source="splunk", scaleAction="scaleInBigip"
44 | ```
45 |
46 | **Workload Scaling**
47 | ```
48 | sourcetype="f5:telemetry:json" telemetryEventCategory=AVR MaxConcurrentConnections>3000 | table hostname |eval source="splunk", scaleAction="scaleOutWokload"
49 | ```
50 | ```
51 | sourcetype="f5:telemetry:json" telemetryEventCategory=AVR MaxConcurrentConnections<500 | table hostname |eval source="splunk", scaleAction="scaleInWorkload"
52 | ```
53 |
54 | ### Create Splunk Alerts
55 |
56 | 
57 |
58 | 
59 |
60 | 
--------------------------------------------------------------------------------
/ts_consumers/splunk/splunk.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | echo
3 | echo '##############################################'
4 | echo '# #'
5 | echo '# Welcome to the Splunk 7.0.2 auto-installer #'
6 | echo '# for CentOS 7 x64. #'
7 | echo '# Last updated 03/12/2018. #'
8 | echo '# Enter the "splunk" linux user account #'
9 | echo '# password and press enter to let the magic #'
10 | echo '# happen. Note: You will change the Splunk #'
11 | echo '# Web admin password upon first login. #'
12 | echo '# #'
13 | echo '##############################################'
14 | echo
15 | echo
16 | echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
17 | echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
18 | echo "[Unit]" > /etc/systemd/system/disable-thp.service
19 | echo "Description=Disable Transparent Huge Pages" >> /etc/systemd/system/disable-thp.service
20 | echo "" >> /etc/systemd/system/disable-thp.service
21 | echo "[Service]" >> /etc/systemd/system/disable-thp.service
22 | echo "Type=simple" >> /etc/systemd/system/disable-thp.service
23 | echo 'ExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"' >> /etc/systemd/system/disable-thp.service
24 | echo "Type=simple" >> /etc/systemd/system/disable-thp.service
25 | echo "" >> /etc/systemd/system/disable-thp.service
26 | echo "[Install]" >> /etc/systemd/system/disable-thp.service
27 | echo "WantedBy=multi-user.target" >> /etc/systemd/system/disable-thp.service
28 | systemctl daemon-reload
29 | systemctl start disable-thp
30 | systemctl enable disable-thp
31 | echo
32 | echo "Transparent Huge Pages (THP) Disabled."
33 | echo
34 | ulimit -n 64000
35 | ulimit -u 20480
36 | echo "DefaultLimitFSIZE=-1" >> /etc/systemd/system.conf
37 | echo "DefaultLimitNOFILE=64000" >> /etc/systemd/system.conf
38 | echo "DefaultLimitNPROC=20480" >> /etc/systemd/system.conf
39 | echo
40 | echo "ulimit Increased."
41 | echo
42 | yum install wget -y
43 | cd /tmp
44 | wget -O splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz&wget=true'
45 | echo
46 | echo "Splunk Downloaded."
47 | echo
48 | tar -xzvf /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz -C /opt
49 | rm -f /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz
50 | useradd splunk
51 | echo splunk:F5demonet! > /tmp/pwdfile
52 | cat /tmp/pwdfile | chpasswd
53 | rm -f /tmp/pwdfile
54 | echo
55 | echo "Splunk installed and splunk linux user created."
56 | echo
57 | echo "[settings]" > /opt/splunk/etc/system/local/web.conf
58 | echo "enableSplunkWebSSL = true" >> /opt/splunk/etc/system/local/web.conf
59 | echo
60 | echo "HTTPS enabled for Splunk Web using self-signed certificate."
61 | echo
62 | chown -R splunk:splunk /opt/splunk
63 | afz=`firewall-cmd --get-active-zone | head -1`
64 | firewall-cmd --zone=$afz --add-port=8000/tcp --permanent
65 | firewall-cmd --zone=$afz --add-port=8065/tcp --permanent
66 | firewall-cmd --zone=$afz --add-port=8089/tcp --permanent
67 | firewall-cmd --zone=$afz --add-port=8191/tcp --permanent
68 | firewall-cmd --zone=$afz --add-port=9997/tcp --permanent
69 | firewall-cmd --zone=$afz --add-port=8080/tcp --permanent
70 | firewall-cmd --zone=$afz --add-port=10514/udp --permanent
71 | firewall-cmd --reload
72 | echo
73 | echo "Firewall ports used by Splunk opened."
74 | echo "[splunktcp]" > /opt/splunk/etc/system/local/inputs.conf
75 | echo "[splunktcp://9997]" >> /opt/splunk/etc/system/local/inputs.conf
76 | echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
77 | echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
78 | echo "" >> /opt/splunk/etc/system/local/inputs.conf
79 | echo "[udp://10514]" >> /opt/splunk/etc/system/local/inputs.conf
80 | echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
81 | echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
82 | chown splunk:splunk /opt/splunk/etc/system/local/inputs.conf
83 | echo
84 | echo "Enabled Splunk TCP input over 9997 and UDP traffic input over 10514."
85 | echo
86 | runuser -l splunk -c '/opt/splunk/bin/splunk start --accept-license'
87 | /opt/splunk/bin/splunk enable boot-start -user splunk
88 | runuser -l splunk -c '/opt/splunk/bin/splunk stop'
89 | chown root:splunk /opt/splunk/etc/splunk-launch.conf
90 | chmod 644 /opt/splunk/etc/splunk-launch.conf
91 | echo
92 | echo "Splunk test start and stop complete. Enabled Splunk to start at boot. Also, adjusted splunk-launch.conf to mitigate privilege escalation attack."
93 | echo
94 | runuser -l splunk -c '/opt/splunk/bin/splunk start'
95 | if [[ -f /opt/splunk/bin/splunk ]]
96 | then
97 | echo Splunk Enterprise
98 | cat /opt/splunk/etc/splunk.version | head -1
99 | echo "has been installed, configured, and started!"
100 | echo "Visit the Splunk server using https://hostNameORip:8000 as mentioned above."
101 | echo
102 | echo
103 | echo " HAPPY SPLUNKING!!!"
104 | echo
105 | echo
106 | echo
107 | else
108 | echo Splunk Enterprise has FAILED install!
109 | fi
110 | #End of File
111 |
--------------------------------------------------------------------------------
/ts_consumers/splunk/splunk.tf:
--------------------------------------------------------------------------------
1 | # Deploy Splunk Enterprise instance
2 |
3 | resource "azurerm_public_ip" "splunk_public_ip" {
4 | name = "pip-mgmt-splunk"
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.rg.name
7 | allocation_method = "Static" # Static is required due to the use of the Standard sku
8 | tags = {
9 | Name = "pip-mgmt-splunk"
10 | source = "terraform"
11 | }
12 | }
13 |
14 | resource "azurerm_network_interface" "splunkvm-ext-nic" {
15 | name = "${local.app_id}-splunkvm-ext-nic"
16 | location = var.location
17 | resource_group_name = azurerm_resource_group.rg.name
18 | ip_configuration {
19 | name = "primary"
20 | subnet_id = data.azurerm_subnet.mgmt.id
21 | private_ip_address_allocation = "Static"
22 | private_ip_address = "10.2.1.135"
23 | primary = true
24 | public_ip_address_id = azurerm_public_ip.splunk_public_ip.id
25 | }
26 |
27 | tags = {
28 | Name = "${local.app_id}-splunkvm-ext-int"
29 | application = "splunkserver"
30 | tag_name = "Env"
31 | value = "splunk"
32 | }
33 | }
34 |
35 | resource "azurerm_virtual_machine" "splunkvm" {
36 | name = "splunkvm"
37 | location = var.location
38 | resource_group_name = azurerm_resource_group.rg.name
39 | network_interface_ids = [azurerm_network_interface.splunkvm-ext-nic.id]
40 | vm_size = "Standard_DS3_v2"
41 |
42 | # Uncomment this line to delete the OS disk automatically when deleting the VM
43 | delete_os_disk_on_termination = true
44 |
45 | # Uncomment this line to delete the data disks automatically when deleting the VM
46 | delete_data_disks_on_termination = true
47 |
48 | storage_os_disk {
49 | name = "splunkvmOsDisk"
50 | caching = "ReadWrite"
51 | create_option = "FromImage"
52 | managed_disk_type = "Premium_LRS"
53 | }
54 |
55 | storage_image_reference {
56 | publisher = "Canonical"
57 | offer = "UbuntuServer"
58 | sku = "16.04.0-LTS"
59 | version = "latest"
60 | }
61 |
62 | os_profile {
63 | computer_name = "splunkvm"
64 | admin_username = "splunk"
65 | admin_password = var.upassword
66 | custom_data = file("splunk.sh")
67 |
68 | }
69 |
70 | os_profile_linux_config {
71 | disable_password_authentication = false
72 | }
73 |
74 | tags = {
75 | Name = "${local.app_id}-splunkvm"
76 | tag_name = "Env"
77 | value = "splunk"
78 | propagate_at_launch = true
79 | }
80 | }
81 |
82 | output "splunk_public_address" {
83 | value = "https://${azurerm_public_ip.splunk_public_ip.ip_address}:8000"
84 | }
85 |
--------------------------------------------------------------------------------