├── .gitignore ├── README.md ├── backup-etc.yml ├── backup-full.yml ├── certs └── README.md ├── combo.yml ├── files └── README.md ├── group_vars └── all.sample ├── hosts.sample ├── install.yml ├── os-config.yml ├── roles ├── backup-etc │ └── tasks │ │ └── main.yml ├── backup-full │ └── tasks │ │ └── main.yml ├── core-install │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── limits.conf.j2 │ │ ├── server.conf.j2 │ │ ├── ui-tour.conf.j2 │ │ ├── user-prefs.conf.j2 │ │ ├── user-seed.conf.j2 │ │ └── web.conf.j2 ├── core-upgrade │ └── tasks │ │ └── main.yml ├── os-config │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── disable-thp.j2 │ │ ├── disable-thp.service.j2 │ │ └── limits.conf.j2 ├── prereqs │ └── tasks │ │ └── main.yml ├── tls-config │ └── tasks │ │ └── main.yml ├── uf-config │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── outputs.conf.j2 ├── uf-install │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── user-seed.conf.j2 └── uf-upgrade │ └── tasks │ └── main.yml ├── tls-config.yml ├── uf-combo.yml ├── uf-config.yml ├── uf-install.yml ├── uf-upgrade.yml └── upgrade.yml /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | 106 | # macOS 107 | .DS_Store 108 | 109 | # Project specific 110 | group_vars/all 111 | 112 | *hosts* 113 | !hosts.sample 114 | 115 | *.retry 116 | 117 | files/* 118 | !files/README.md 119 | 120 | certs/* 121 | !certs/README.md 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible-Splunk-Base 2 | 3 | This is an Ansible project that installs or upgrades Splunk to a specific version. It can also perform basic OS config (ulimits, THP disabled, hostname, etc.), ./splunk/etc/ backups, and SSL cert installation. 4 | 5 | 6 | ### Setup 7 | 8 | 1. Install Ansible 9 | 10 | - sudo apt-get install ansible (Ubuntu) 11 | - brew install ansible (macOS) 12 | 13 | 2. git clone this project 14 | 15 | - git clone https://github.com/johnmcgovern/ansible-splunk-base.git 16 | 17 | 3. Navigate to project base directory 18 | 19 | - cd ./ansible-splunk-base 20 | 21 | 4. Copy hosts.sample to hosts 22 | 23 | - cp hosts.sample hosts 24 | 25 | 5. Edit hosts file to include desired hosts 26 | 27 | - vi hosts 28 | 29 | 6. Copy group_vars/all.sample to group_vars/all 30 | 31 | - cp group_vars/all.sample group_vars/all 32 | 33 | 7. Edit group_vars/all variables as appropriate for your enviornment 34 | 35 | - vi group_vars/all 36 | 37 | 38 | ### Usage 39 | 40 | 1. Navigate to playbook base directory 41 | 42 | - cd ./ansible-splunk-base 43 | 44 | 2. Run the Splunk install playbook 45 | 46 | - ansible-playbook -i hosts install.yml 47 | 48 | 3. -or- run the Splunk upgrade playbook 49 | 50 | - ansible-playbook -i hosts upgrade.yml 51 | 52 | 4. -or- run the Splunk OS initial configuration playbook (built to provide a simple configuration for lab hosts) 53 | 54 | - ansible-playbook -i hosts os-config.yml 55 | 56 | 5. -or- run a base OS config AND install Splunk. 57 | 58 | - ansible-playbook -i hosts combo.yml 59 | 60 | 6. -or- configure an TLS/SSL key pair for the web UI (tcp/8000). 61 | 62 | - ansible-playbook -i hosts tls-config.yml 63 | 64 | 7. -or- run the Splunk UF install playbook 65 | 66 | - ansible-playbook -i hosts uf-install.yml 67 | 68 | 8. -or- run the Splunk UF config playbook 69 | 70 | - ansible-playbook -i hosts uf-config.yml 71 | 72 | 9. -or- run the Splunk UF install AND config playbook 73 | 74 | - ansible-playbook -i hosts uf-combo.yml 75 | 76 | 10. -or- run the Splunk UF upgrade playbook 77 | 78 | - ansible-playbook -i hosts uf-upgrade.yml 79 | 80 | 11. -or- run the Splunk configuration only (./etc/) backup playbook 81 | 82 | - ansible-playbook -i hosts backup-etc.yml 83 | 84 | 12. -or- run the Splunk full backup (/opt/splunk/) playbook 85 | 86 | - ansible-playbook -i hosts backup-full.yml 87 | 88 | 13. Run an Ansible playbook limited to certain hosts within the hosts list 89 | 90 | - ansible-playbook -i hosts --limit=host1 install.yml 91 | 92 | 14. Run multiple roles in one command 93 | 94 | - ansible-playbook -i hosts os-config install.yml tls-config.yml 95 | 96 | 97 | ### Compatibility 98 | 99 | This role has been tested on: 100 | 101 | - Ubuntu 22.04, 20.04, & 18.04 Server (LTS) 102 | - RHEL 8 103 | - CentOS 7 1810 104 | - Amazon Linux 2 2022.06 & 2020.04 105 | 106 | 107 | ### Notes 108 | 109 | - The goal of this role is to quickly execute a best-practices base Splunk install/upgrade (including support for Workload Management, which is a departure from the previous install method). 110 | - There are more complex/full-featured projects out there for various deployment topologies. The goal here is simplicity, speed, and utility. 111 | - 8.1.1 introduced PolicyKit (polkit) management of systemd processes which allows for splunk to be restarted (for example) as the splunk user or super user using the commnands "splunk restart", "systemctl restart Splunkd", and "sudo systemctl restart Splunkd" for maximum flexibility. 112 | - Both "systemd" and "initd" methods of Linux process management are supported. systemd is ONLY available in Splunk Enterprise version 7.2.2 and later. 113 | - Splunk versions 7.2.2 - 7.2.x implement "enable boot-start" differently than 7.3.0 and later. This is now accounted for. 114 | - Assuming a semi-default install (such as you would find if you installed with this playbook), upgrade.yml will convert from initd process management to systemd process management if you flag "systemd" on install_method. 115 | - A number of config items are set which disable pop-ups and modal dialogues which would normally be shown to the Splunk admin and/or users such as new version available notifications, UI tours, and python 2.7 deprication notifications. The goal here is to generally avoid UI annoyances that would crop up in automatic distributed Splunk deployments. 116 | - This Ansible playbook does not currently handle OS-level firewall allowances for splunkd TCP ports. 117 | - We bias towards being non-destructive. For example, if we see an existing/previous Splunk install we will fail out rather than damage the current install. 118 | 119 | ### To-Do 120 | 121 | - Support for additional server settings. 122 | - Simplified version/file/hash dictionary. 123 | 124 | 125 | ### Warranty 126 | 127 | This project is provided WITHOUT any form of warranty and should be tested thoroughly before using it in your environment. Development is best-effort only. This project is provided as-is with no guarantee as to fitness for a specific purpose. Please use it at your own risk. 128 | 129 | 130 | ### Contact 131 | 132 | - john@johnmcgovern.com or https://www.johnmcgovern.com 133 | -------------------------------------------------------------------------------- /backup-etc.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook backs up Splunk configuration in $SPLUNK_HOME/etc/ to $HOME_PATH/backups/ 3 | 4 | - name: Backup Splunk configuration 5 | hosts: all 6 | roles: 7 | - backup-etc -------------------------------------------------------------------------------- /backup-full.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook backs up all of $SPLUNK_HOME/ to $HOME_PATH/backups/ 3 | 4 | - name: Backup all Splunk data in $SPLUNK_HOME including buckets to $HOME_PATH/backups/ 5 | hosts: all 6 | roles: 7 | - backup-full -------------------------------------------------------------------------------- /certs/README.md: -------------------------------------------------------------------------------- 1 | # Ansible-Splunk-Base ./certs/ 2 | 3 | To upload custom SSL certs to install with Splunk for the Web UI (default tcp/8000): 4 | 5 | 1. Place your public key (PEM format) in certs/cert.pem (include intermediate chain after the public key if available). 6 | 7 | 2. Place your private key (PEM format) in certs/privkey.pem 8 | 9 | 3. Run: 10 | 11 | - ansible-playbook -i hosts tls-config.yml 12 | 13 | 4. This project will upload the certs to $SPLUNK_HOME/etc/auth/my-certs/. 14 | 15 | 5. This project will then perform default configuration to reference these certs in $SPLUNK_HOME/etc/system/local/web.conf. -------------------------------------------------------------------------------- /combo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook: 3 | # 1) Performs a basic OS configuration for lab hosts. 4 | # 2) Installs a base image of Splunk Enterprise. 5 | 6 | - name: Apply prereqs to all nodes 7 | hosts: all 8 | gather_facts: no 9 | roles: 10 | - prereqs 11 | 12 | - name: Basic OS Configuration & Updates 13 | hosts: all 14 | roles: 15 | - os-config 16 | 17 | - name: Install Splunk 18 | hosts: all 19 | roles: 20 | - core-install 21 | -------------------------------------------------------------------------------- /files/README.md: -------------------------------------------------------------------------------- 1 | # Ansible-Splunk-Base ./files/ 2 | 3 | By default, this project pulls down Splunk Enterprise and Universal Forwarder versions by wgetting them from the official Splunk download links. 4 | 5 | If you would like to instead upload the Splunk .tgz from your local ansible machine, you can do so by modifying the download_tgz_from_splunk_servers and download_uf_tgz_from_splunk_servers (specifically setting either of them to "false") in ./group_vars/all 6 | 7 | If a file with the same MD5 checksum is already present on the server, this project does not bother to redownload/upload the file. -------------------------------------------------------------------------------- /group_vars/all.sample: -------------------------------------------------------------------------------- 1 | 2 | # ======================================== 3 | # Ansible, OS, & Splunk Config Variables 4 | # ======================================== 5 | 6 | # 7 | # Change These: 8 | # (Username / password type variables that should be changed) 9 | # 10 | 11 | # Remote host username, password, enable password, and SSH private key file (default method) 12 | # If one of ssh_pass, become_pass (sudo), and private_key are not needed, 13 | # comment them out based on your authentication method. 14 | ansible_user: ubuntu 15 | # ansible_ssh_pass: samplePassword 16 | # ansible_become_pass: samplePassword 17 | ansible_ssh_private_key_file: ~/.ssh/id_rsa 18 | 19 | # Username and password for Splunk Enterprise admin user 20 | # (modified during initial install, not during upgrade) 21 | splunk_user: admin 22 | splunk_pass: splunk123 23 | 24 | # Username and password for Splunk Universal Forwarder admin user 25 | # (modified during initial install, not during upgrade) 26 | splunk_uf_user: ufadmin 27 | splunk_uf_pass: splunk123 28 | 29 | 30 | # 31 | # Splunk Installation & OS Level Defaults 32 | # (The variables are reasonable defaults and can be safely left alone) 33 | # 34 | 35 | # Whether to download (wget) the tgz installer from Splunk (true, default) 36 | # or upload the tgz from the ./files/ directory of this project (false) 37 | download_tgz_from_splunk_servers: true 38 | download_uf_tgz_from_splunk_servers: true 39 | 40 | # Ansible connection defaults 41 | ansible_connection: smart 42 | ansible_port: 22 43 | 44 | # User and group that will run splunkd on the OS and own Splunk files 45 | os_user: splunk 46 | os_group: splunk 47 | 48 | # $SPLUNK_HOME path 49 | splunk_home: /opt/splunk 50 | splunk_uf_home: /opt/splunkforwarder 51 | splunk_base_path: /opt 52 | 53 | 54 | # 55 | # Splunk Configuration Settings 56 | # (These settings impact how Splunk is initially configured.) 57 | # 58 | 59 | # Allow Splunk to check for updates? 60 | # (true (default) or false) 61 | check_for_updates: true 62 | 63 | 64 | # 65 | # Universal Forwarder Configuration Settings 66 | # (These settings impact how the UF is configured in uf-config.yml.) 67 | # 68 | 69 | # -UF DS- The address of the deployment server (IP or FQDN). 70 | uf_deploy_server_address: 127.0.0.1 71 | 72 | # -UF DS- The port of the deployment server (defaults to 8089). 73 | uf_deploy_server_port: 8089 74 | 75 | # -UF Outputs- The address of the indexer, heavy forwarder, or cluster master (FQDN or IP) for outputs.conf. 76 | # Currently, only a single address is supported. 77 | uf_forward_internal_logs_address: 127.0.0.1 78 | 79 | # -UF Outputs- The address of the indexer, heavy forwarder, or cluster master's receiving port for outputs.conf 80 | uf_forward_internal_logs_port: 9997 81 | 82 | 83 | 84 | # =========================================== 85 | # Splunk Enterprise (Core) Version Selector 86 | # =========================================== 87 | 88 | # Latest Splunk Enterprise version, filename, checksum, and hashing algorith (for wget pull) 89 | splunk_version: 9.2.2 90 | splunk_tgz: splunk-9.2.2-d76edf6f0a15-Linux-x86_64.tgz 91 | splunk_tgz_checksum: da10ab0199358aa96b3a29420a9d5f4b 92 | 93 | # Installation method (pick one): 94 | # systemd - 7.2.2 or later required. 95 | # initd - Suppored on any version, but no Workload Management support. 96 | install_method: systemd 97 | 98 | 99 | 100 | # ============================================= 101 | # Splunk Universal Forwarder Version Selector 102 | # ============================================= 103 | 104 | splunk_uf_version: 9.2.2 105 | splunk_uf_tgz: splunkforwarder-9.2.2-d76edf6f0a15-Linux-x86_64.tgz 106 | splunk_uf_tgz_checksum: 0dc08c4508cdd886186eda006793320d 107 | 108 | 109 | 110 | # ============================================= 111 | # Splunk Enterprise Version Library 112 | # (uncomment and copy to use) 113 | # ============================================= 114 | 115 | # 9.2.x 116 | 117 | # splunk_version: 9.2.2 118 | # splunk_tgz: splunk-9.2.2-d76edf6f0a15-Linux-x86_64.tgz 119 | # splunk_tgz_checksum: da10ab0199358aa96b3a29420a9d5f4b 120 | 121 | # splunk_version: 9.2.1 122 | # splunk_tgz: splunk-9.2.1-78803f08aabb-Linux-x86_64.tgz 123 | # splunk_tgz_checksum: 1f25058670c915fac35477b3a3a6b384 124 | 125 | # splunk_version: 9.2.0.1 126 | # splunk_tgz: splunk-9.2.0.1-d8ae995bf219-Linux-x86_64.tgz 127 | # splunk_tgz_checksum: 46e43ddee3476b8b8e929cc131c7bd50 128 | 129 | # 9.1.x 130 | 131 | # splunk_version: 9.1.3 132 | # splunk_tgz: splunk-9.1.3-d95b3299fa65-Linux-x86_64.tgz 133 | # splunk_tgz_checksum: 3456b7e1ee4d7e885a8a09fc56db872b 134 | 135 | # splunk_version: 9.1.2 136 | # splunk_tgz: splunk-9.1.2-b6b9c8185839-Linux-x86_64.tgz 137 | # splunk_tgz_checksum: aad800b656cef41e16c3819034d1c4f7 138 | 139 | # splunk_version: 9.1.1 140 | # splunk_tgz: splunk-9.1.1-64e843ea36b1-Linux-x86_64.tgz 141 | # splunk_tgz_checksum: bf20ce267f77d999a5b1e425139b51d7 142 | 143 | # splunk_version: 9.1.0.2 144 | # splunk_tgz: splunk-9.1.0.2-b6436b649711-Linux-x86_64.tgz 145 | # splunk_tgz_checksum: cb565358786f56ca3ddfaf3e4c9d7b53 146 | 147 | # 9.0.x 148 | 149 | # splunk_version: 9.0.5 150 | # splunk_tgz: splunk-9.0.5-e9494146ae5c-Linux-x86_64.tgz 151 | # splunk_tgz_checksum: 375b73bd53ede4da36b5e6e933fc898d 152 | 153 | # splunk_version: 9.0.4.1 154 | # splunk_tgz: splunk-9.0.4.1-419ad9369127-Linux-x86_64.tgz 155 | # splunk_tgz_checksum: 41ece26237995aa9a9e9030a1ceed250 156 | 157 | # splunk_version: 9.0.4 158 | # splunk_tgz: splunk-9.0.4-de405f4a7979-Linux-x86_64.tgz 159 | # splunk_tgz_checksum: baa26f72df26d07a95a42642e89b2288 160 | 161 | # splunk_version: 9.0.3 162 | # splunk_tgz: splunk-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz 163 | # splunk_tgz_checksum: 37e1c9c1186e1e8762a76c71dbf78d1f 164 | 165 | # splunk_version: 9.0.2 166 | # splunk_tgz: splunk-9.0.2-17e00c557dc1-Linux-x86_64.tgz 167 | # splunk_tgz_checksum: 10cf541607feb6171725c2d17b7fadf9 168 | 169 | # splunk_version: 9.0.1 170 | # splunk_tgz: splunk-9.0.1-82c987350fde-Linux-x86_64.tgz 171 | # splunk_tgz_checksum: c4b43b1473dd297e401d862e2bee92c5 172 | 173 | # splunk_version: 9.0.0.1 174 | # splunk_tgz: splunk-9.0.0.1-9e907cedecb1-Linux-x86_64.tgz 175 | # splunk_tgz_checksum: 13d1fead12fd73a39c5f8b7d11226a93 176 | 177 | # splunk_version: 9.0.0 178 | # splunk_tgz: splunk-9.0.0-6818ac46f2ec-Linux-x86_64.tgz 179 | # splunk_tgz_checksum: e4e85141143493226aa13b249909e85a 180 | 181 | # 8.2.x 182 | 183 | # splunk_version: 8.2.9 184 | # splunk_tgz: splunk-8.2.9-4a20fb65aa78-Linux-x86_64.tgz 185 | # splunk_tgz_checksum: fd3c5fac9a2822327d01f2f12acee86f 186 | 187 | # splunk_version: 8.2.8 188 | # splunk_tgz: splunk-8.2.8-da25d08d5d3e-Linux-x86_64.tgz 189 | # splunk_tgz_checksum: 9f38cc59dac5f845488f2a0315635299 190 | 191 | # splunk_version: 8.2.7.1 192 | # splunk_tgz: splunk-8.2.7.1-c2b65bc24aea-Linux-x86_64.tgz 193 | # splunk_tgz_checksum: f1ca62ea0141803d4b2b8acd1f8b4a51 194 | 195 | # splunk_version: 8.2.7 196 | # splunk_tgz: splunk-8.2.7-2e1fca123028-Linux-x86_64.tgz 197 | # splunk_tgz_checksum: 99dd11823d2a00e9eb84b6e1f385a674 198 | 199 | # splunk_version: 8.2.6.1 200 | # splunk_tgz: splunk-8.2.6.1-5f0da8f6e22c-Linux-x86_64.tgz 201 | # splunk_tgz_checksum: 7d957e30d3d1bf286f8819c35e0f3b4f 202 | 203 | # splunk_version: 8.2.6 204 | # splunk_tgz: splunk-8.2.6-a6fe1ee8894b-Linux-x86_64.tgz 205 | # splunk_tgz_checksum: 14f8aa5b2a5cd554975cb9410eda0879 206 | 207 | # splunk_version: 8.2.5 208 | # splunk_tgz: splunk-8.2.5-77015bc7a462-Linux-x86_64.tgz 209 | # splunk_tgz_checksum: 83f6ca53a7f94d4a4fe5a79a98544b84 210 | 211 | # splunk_version: 8.2.4 212 | # splunk_tgz: splunk-8.2.4-87e2dda940d1-Linux-x86_64.tgz 213 | # splunk_tgz_checksum: f0db7340f068f7131061bb91faf0f9c6 214 | 215 | # splunk_version: 8.2.3.2 216 | # splunk_tgz: splunk-8.2.3.2-5281ae34c90c-Linux-x86_64.tgz 217 | # splunk_tgz_checksum: f9bf9055c3cf89eea04f1f47b3ae7c35 218 | 219 | # splunk_version: 8.2.3 220 | # splunk_tgz: splunk-8.2.3-cd0848707637-Linux-x86_64.tgz 221 | # splunk_tgz_checksum: 7ebcbef3c6ed0c2ef1ca9b3dc4aad362 222 | 223 | # splunk_version: 8.2.2.1 224 | # splunk_tgz: splunk-8.2.2.1-ae6821b7c64b-Linux-x86_64.tgz 225 | # splunk_tgz_checksum: 29a884e156f2cb790a40e41b85e68038 226 | 227 | # splunk_version: 8.2.2 228 | # splunk_tgz: splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz 229 | # splunk_tgz_checksum: ee0163f222dbbfd49194cbf6d31373df 230 | 231 | # splunk_version: 8.2.1 232 | # splunk_tgz: splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz 233 | # splunk_tgz_checksum: ab420a67559e401adf6f2c8467f60a7b 234 | 235 | # splunk_version: 8.2.0 236 | # splunk_tgz: splunk-8.2.0-e053ef3c985f-Linux-x86_64.tgz 237 | # splunk_tgz_checksum: 18152e1c2c54cc9f5d6015de86b800ca 238 | 239 | # 8.1.x 240 | 241 | # splunk_version: 8.1.8 242 | # splunk_tgz: splunk-8.1.8-39da583cc695-Linux-x86_64.tgz 243 | # splunk_tgz_checksum: ea2f65abc107b061efbd54507422fae0 244 | 245 | # splunk_version: 8.1.5 246 | # splunk_tgz: splunk-8.1.5-9c0c082e4596-Linux-x86_64.tgz 247 | # splunk_tgz_checksum: 5426ce57ebe9f102ece0d7c1fd09a916 248 | 249 | # splunk_version: 8.1.4 250 | # splunk_tgz: splunk-8.1.4-17f862b42a7c-Linux-x86_64.tgz 251 | # splunk_tgz_checksum: 0d9fa82f82ac5cdac5cb30fe4ebb8cd6 252 | 253 | # splunk_version: 8.1.3 254 | # splunk_tgz: splunk-8.1.3-63079c59e632-Linux-x86_64.tgz 255 | # splunk_tgz_checksum: 5723c821ca9010bbeb53d340363da47c 256 | 257 | # splunk_version: 8.1.2 258 | # splunk_tgz: splunk-8.1.2-545206cc9f70-Linux-x86_64.tgz 259 | # splunk_tgz_checksum: 4564eeb927eee7ded6f8d2652955ba2d 260 | 261 | # splunk_version: 8.1.1 262 | # splunk_tgz: splunk-8.1.1-08187535c166-Linux-x86_64.tgz 263 | # splunk_tgz_checksum: b1fe22946415293a219b18c2d34ffbe4 264 | 265 | # splunk_version: 8.1.0.1 266 | # splunk_tgz: splunk-8.1.0.1-24fd52428b5a-Linux-x86_64.tgz 267 | # splunk_tgz_checksum: f5cd85c2860c6f21322abd7768c84b60 268 | 269 | # splunk_version: 8.1.0 270 | # splunk_tgz: splunk-8.1.0-f57c09e87251-Linux-x86_64.tgz 271 | # splunk_tgz_checksum: 3de8c518e87cefe38414aabdbdf46ff8 272 | 273 | # 8.0.x 274 | 275 | # splunk_version: 8.0.10 276 | # splunk_tgz: splunk-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz 277 | # splunk_tgz_checksum: 108c354978eb8321001fb4f5ef0cd149 278 | 279 | # splunk_version: 8.0.9 280 | # splunk_tgz: splunk-8.0.9-153839c8b72f-Linux-x86_64.tgz 281 | # splunk_tgz_checksum: 8f741ffff675a54724d14536e8f24d2b 282 | 283 | # splunk_version: 8.0.8 284 | # splunk_tgz: splunk-8.0.8-70c2fa5ea15d-Linux-x86_64.tgz 285 | # splunk_tgz_checksum: 61fff24d7dcd0f0584b89854544e0a9a 286 | 287 | # splunk_version: 8.0.7 288 | # splunk_tgz: splunk-8.0.7-cbe73339abca-Linux-x86_64.tgz 289 | # splunk_tgz_checksum: feab1325d87af7cc584e5cb5eca11aae 290 | 291 | # splunk_version: 8.0.6 292 | # splunk_tgz: splunk-8.0.6-152fb4b2bb96-Linux-x86_64.tgz 293 | # splunk_tgz_checksum: 5a8edfd3808a8c0105ada9df7114ec38 294 | 295 | # splunk_version: 8.0.5 296 | # splunk_tgz: splunk-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz 297 | # splunk_tgz_checksum: 3058ae8fbb7d6df72d739500536f567e 298 | 299 | # splunk_version: 8.0.4.1 300 | # splunk_tgz: splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz 301 | # splunk_tgz_checksum: fa42e6004ae7fae7b21bc55482c82be8 302 | 303 | # splunk_version: 8.0.4 304 | # splunk_tgz: splunk-8.0.4-767223ac207f-Linux-x86_64.tgz 305 | # splunk_tgz_checksum: fe463a402f6e0a602b8e1af81e3194cc 306 | 307 | # splunk_version: 8.0.3 308 | # splunk_tgz: splunk-8.0.3-a6754d8441bf-Linux-x86_64.tgz 309 | # splunk_tgz_checksum: bb3255a62fe5337e20482e8ad77848b8 310 | 311 | # splunk_version: 8.0.2.1 312 | # splunk_tgz: splunk-8.0.2.1-f002026bad55-Linux-x86_64.tgz 313 | # splunk_tgz_checksum: 09038d50160d062247712de121526b8f 314 | 315 | # splunk_version: 8.0.2 316 | # splunk_tgz: splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz 317 | # splunk_tgz_checksum: 0f9d49a4a609e588107923c40fe61230 318 | 319 | # splunk_version: 8.0.1 320 | # splunk_tgz: splunk-8.0.1-6db836e2fb9e-Linux-x86_64.tgz 321 | # splunk_tgz_checksum: c249d5312a05de832d7f9e298f505ad0 322 | 323 | # splunk_version: 8.0.0 324 | # splunk_tgz: splunk-8.0.0-1357bef0a7f6-Linux-x86_64.tgz 325 | # splunk_tgz_checksum: e4dd7986af1740504340baf62e63c82b 326 | 327 | # 7.3.x 328 | 329 | # splunk_version: 7.3.9 330 | # splunk_tgz: splunk-7.3.9-39a78bf1bc5b-Linux-x86_64.tgz 331 | # splunk_tgz_checksum: 64a4e7977e13b301c6c74444f782f461 332 | 333 | # splunk_version: 7.3.8 334 | # splunk_tgz: splunk-7.3.8-bdc98854fc40-Linux-x86_64.tgz 335 | # splunk_tgz_checksum: eab5796cfc5916cf1cc3ac28d9e09d9b 336 | 337 | # splunk_version: 7.3.7 338 | # splunk_tgz: splunk-7.3.7-9d9aa3f78593-Linux-x86_64.tgz 339 | # splunk_tgz_checksum: f206e831c98e4202e27114b43128de36 340 | 341 | # splunk_version: 7.3.6 342 | # splunk_tgz: splunk-7.3.6-47d8552a4d84-Linux-x86_64.tgz 343 | # splunk_tgz_checksum: 7e5062dc025a0139072a7cb929068944 344 | 345 | # splunk_version: 7.3.5 346 | # splunk_tgz: splunk-7.3.5-86fd62efc3d7-Linux-x86_64.tgz 347 | # splunk_tgz_checksum: 75aaa9e1744dab5c3b57f99fbe980467 348 | 349 | # splunk_version: 7.3.4.2 350 | # splunk_tgz: splunk-7.3.4.2-cb574b3d103e-Linux-x86_64.tgz 351 | # splunk_tgz_checksum: 2841182526554f4e8b2d5095050afb31 352 | 353 | # splunk_version: 7.3.4 354 | # splunk_tgz: splunk-7.3.4-13e97039fb65-Linux-x86_64.tgz 355 | # splunk_tgz_checksum: 9acf21d68dade2eb69748a7ff40de61a 356 | 357 | # splunk_version: 7.3.3 358 | # splunk_tgz: splunk-7.3.3-7af3758d0d5e-Linux-x86_64.tgz 359 | # splunk_tgz_checksum: ff699d328dd64d16c1ce71ba983e40b0 360 | 361 | # splunk_version: 7.3.2 362 | # splunk_tgz: splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz 363 | # splunk_tgz_checksum: 7b0008d37e815862c72c614fc53719e5 364 | 365 | # splunk_version: 7.3.1.1 366 | # splunk_tgz: splunk-7.3.1.1-7651b7244cf2-Linux-x86_64.tgz 367 | # splunk_tgz_checksum: c027a09ce04ce7b7651da137c75b995e 368 | 369 | # splunk_version: 7.3.1 370 | # splunk_tgz: splunk-7.3.1-bd63e13aa157-Linux-x86_64.tgz 371 | # splunk_tgz_checksum: 1b6080805db370fc798f52ef068f2d84 372 | 373 | # splunk_version: 7.3.0 374 | # splunk_tgz: splunk-7.3.0-657388c7a488-Linux-x86_64.tgz 375 | # splunk_tgz_checksum: 682185ee7e193325762b42118a218736 376 | 377 | # 7.2.x 378 | 379 | # splunk_version: 7.2.10 380 | # splunk_tgz: splunk-7.2.10-a6dfcc62f450-Linux-x86_64.tgz 381 | # splunk_tgz_checksum: f1d4c7dd02c88a0763022438b49d4840 382 | 383 | # splunk_version: 7.2.9.1 384 | # splunk_tgz: splunk-7.2.9.1-605df3f0dfdd-Linux-x86_64.tgz 385 | # splunk_tgz_checksum: dcd0da1cc90198c62809dcfd9cd79599 386 | 387 | # splunk_version: 7.2.9 388 | # splunk_tgz: splunk-7.2.9-2dc56eaf3546-Linux-x86_64.tgz 389 | # splunk_tgz_checksum: 132f572fd9e3a89a02b1f1f8c422a9b9 390 | 391 | # splunk_version: 7.2.8 392 | # splunk_tgz: splunk-7.2.8-d613a50d43ac-Linux-x86_64.tgz 393 | # splunk_tgz_checksum: 3165aaf0c088759b2dbaa5b0d0a7af76 394 | 395 | # splunk_version: 7.2.7 396 | # splunk_tgz: splunk-7.2.7-f817a93effc2-Linux-x86_64.tgz 397 | # splunk_tgz_checksum: d3e59efdb12f7c98408c681d39b7ac04 398 | 399 | # splunk_version: 7.2.6 400 | # splunk_tgz: splunk-7.2.6-c0bf0f679ce9-Linux-x86_64.tgz 401 | # splunk_tgz_checksum: 4a182b7189e8b1be70e4ba8516ca0548 402 | 403 | # splunk_version: 7.2.5.1 404 | # splunk_tgz: splunk-7.2.5.1-962d9a8e1586-Linux-x86_64.tgz 405 | # splunk_tgz_checksum: ed92450d0edb252ae9ecb9cc498732a4 406 | 407 | # splunk_version: 7.2.5 408 | # splunk_tgz: splunk-7.2.5-088f49762779-Linux-x86_64.tgz 409 | # splunk_tgz_checksum: 736ffdffa71e1f9afd1eb56fe82acc28 410 | 411 | # splunk_version: 7.2.4.2 412 | # splunk_tgz: splunk-7.2.4.2-fb30470262e3-Linux-x86_64.tgz 413 | # splunk_tgz_checksum: 85e83bd398a5a2acccf6d519f202a854 414 | 415 | # splunk_version: 7.2.4 416 | # splunk_tgz: splunk-7.2.4-8a94541dcfac-Linux-x86_64.tgz 417 | # splunk_tgz_checksum: db26193acd43e33f1cdf04507aa368f1 418 | 419 | 420 | # Initd only versions 421 | # (no Workload Management support) 422 | # (< 7.2.2) 423 | # ------------------------------------ 424 | 425 | # 7.1.x 426 | 427 | # splunk_version: 7.1.10 428 | # splunk_tgz: splunk-7.1.10-4d9ba64e2c47-Linux-x86_64.tgz 429 | # splunk_tgz_checksum: e141ac10a431ea5311278c849df01d62 430 | 431 | # splunk_version: 7.1.9 432 | # splunk_tgz: splunk-7.1.9-45b25e1f9be3-Linux-x86_64.tgz 433 | # splunk_tgz_checksum: 1665c1dc6a7fe73402803d9f118305fa 434 | 435 | # splunk_version: 7.1.8 436 | # splunk_tgz: splunk-7.1.8-3856f9bb4747-Linux-x86_64.tgz 437 | # splunk_tgz_checksum: 777aa559584079cb4d6192ba7b2c93d8 438 | 439 | # splunk_version: 7.1.7 440 | # splunk_tgz: splunk-7.1.7-39ea4c097c30-Linux-x86_64.tgz 441 | # splunk_tgz_checksum: ff496bd5ad832258204a2c8edb3e151e 442 | 443 | # splunk_version: 7.1.6 444 | # splunk_tgz: splunk-7.1.6-8f009a3f5353-Linux-x86_64.tgz 445 | # splunk_tgz_checksum: 5512ec4ed01a3ae9fc4f480b010d8577 446 | 447 | # 7.0.x 448 | 449 | # splunk_version: 7.0.13.1 450 | # splunk_tgz: splunk-7.0.13.1-599c4319fba9-Linux-x86_64.tgz 451 | # splunk_tgz_checksum: 1d3a005b9c19b48bd5da1293089c373a 452 | 453 | # splunk_version: 7.0.11 454 | # splunk_tgz: splunk-7.0.11-ca372bdc34bc-Linux-x86_64.tgz 455 | # splunk_tgz_checksum: 3dfb0fdcdd58236312bcd1a89f719a89 456 | 457 | # splunk_version: 7.0.10 458 | # splunk_tgz: splunk-7.0.10-d8401e2713e7-Linux-x86_64.tgz 459 | # splunk_tgz_checksum: 6d3be843e9f8623b3321757299ed010a 460 | 461 | # splunk_version: 7.0.9 462 | # splunk_tgz: splunk-7.0.9-12f0d9382e96-Linux-x86_64.tgz 463 | # splunk_tgz_checksum: 032c99f736e51a62195f25058fae3415 464 | 465 | # splunk_version: 7.0.7 466 | # splunk_tgz: splunk-7.0.7-b803471b1c68-Linux-x86_64.tgz 467 | # splunk_tgz_checksum: 6fb3ff7f418f4a22993ca9afce424e8a 468 | 469 | # 6.6.x 470 | 471 | # splunk_version: 6.6.12.1 472 | # splunk_tgz: splunk-6.6.12.1-21b2b228fa50-Linux-x86_64.tgz 473 | # splunk_tgz_checksum: e277aca695d199e2a02479c4f41d2840 474 | 475 | # splunk_version: 6.6.12 476 | # splunk_tgz: splunk-6.6.12-ff1b28d42e4c-Linux-x86_64.tgz 477 | # splunk_tgz_checksum: 09b209e37901ce67e2bbbd4050c8124c 478 | 479 | 480 | 481 | 482 | # ================================================ 483 | # Splunk Universal Forwarder Version Library 484 | # (uncomment and copy to use) 485 | # ================================================ 486 | 487 | # 9.2.x 488 | 489 | # splunk_uf_version: 9.2.2 490 | # splunk_uf_tgz: splunkforwarder-9.2.2-d76edf6f0a15-Linux-x86_64.tgz 491 | # splunk_uf_tgz_checksum: 0dc08c4508cdd886186eda006793320d 492 | 493 | # splunk_uf_version: 9.2.1 494 | # splunk_uf_tgz: splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz 495 | # splunk_uf_tgz_checksum: 2ec2cea1ccdc58079d57864c95f05cc7 496 | 497 | # splunk_uf_version: 9.2.0.1 498 | # splunk_uf_tgz: splunkforwarder-9.2.0-1fff88043d5f-Linux-x86_64.tgz 499 | # splunk_uf_tgz_checksum: e8907ec7124530d9d39ecc6ec11d3861 500 | 501 | # 9.1.x 502 | 503 | # splunk_uf_version: 9.1.3 504 | # splunk_uf_tgz: splunkforwarder-9.1.3-d95b3299fa65-Linux-x86_64.tgz 505 | # splunk_uf_tgz_checksum: b81667395a7f65cdb39bb83c1cec8aed 506 | 507 | # splunk_uf_version: 9.1.2 508 | # splunk_uf_tgz: splunkforwarder-9.1.2-b6b9c8185839-Linux-x86_64.tgz 509 | # splunk_uf_tgz_checksum: 01e64b3631d22db04512af9df3e38b9b 510 | 511 | # splunk_uf_version: 9.1.1 512 | # splunk_uf_tgz: splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz 513 | # splunk_uf_tgz_checksum: 1c20620f682c368a957002f76a25203f 514 | 515 | # splunk_uf_version: 9.1.0.1 516 | # splunk_uf_tgz: splunkforwarder-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz 517 | # splunk_uf_tgz_checksum: b7bba89d1d50f40873dcdc0efaac7c8c 518 | 519 | # 9.0.x 520 | 521 | # splunk_uf_version: 9.0.5 522 | # splunk_uf_tgz: splunkforwarder-9.0.5-e9494146ae5c-Linux-x86_64.tgz 523 | # splunk_uf_tgz_checksum: 5619da775eaabc52a95e492e546c13e0 524 | 525 | # splunk_uf_version: 9.0.4 526 | # splunk_uf_tgz: splunkforwarder-9.0.4-de405f4a7979-Linux-x86_64.tgz 527 | # splunk_uf_tgz_checksum: 9a1470f627bfaaeab623b53d16d3505d 528 | 529 | # splunk_uf_version: 9.0.3 530 | # splunk_uf_tgz: splunkforwarder-9.0.3-dd0128b1f8cd-Linux-x86_64.tgz 531 | # splunk_uf_tgz_checksum: 2e4684a853569aeb0de3c1e8ddf86dfe 532 | 533 | # splunk_uf_version: 9.0.2 534 | # splunk_uf_tgz: splunkforwarder-9.0.2-17e00c557dc1-Linux-x86_64.tgz 535 | # splunk_uf_tgz_checksum: 65a2ad715e831f70bc9bdaea21096c12 536 | 537 | # splunk_uf_version: 9.0.1 538 | # splunk_uf_tgz: splunkforwarder-9.0.1-82c987350fde-Linux-x86_64.tgz 539 | # splunk_uf_tgz_checksum: 47a69f1ae8543130c99af49f95f73c21 540 | 541 | # splunk_uf_version: 9.0.0 542 | # splunk_uf_tgz: splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz 543 | # splunk_uf_tgz_checksum: 11fd99eb2b846026222ba195d03d1fcd 544 | 545 | # 8.2.x 546 | 547 | # splunk_uf_version: 8.2.9 548 | # splunk_uf_tgz: splunkforwarder-8.2.9-4a20fb65aa78-Linux-x86_64.tgz 549 | # splunk_uf_tgz_checksum: d21495c8e15c0126a030bb3c9adf94a9 550 | 551 | # splunk_uf_version: 8.2.8 552 | # splunk_uf_tgz: splunkforwarder-8.2.8-da25d08d5d3e-Linux-x86_64.tgz 553 | # splunk_uf_tgz_checksum: a10b80f233a525bf5283de8ffea38997 554 | 555 | # splunk_uf_version: 8.2.7 556 | # splunk_uf_tgz: splunkforwarder-8.2.7-2e1fca123028-Linux-x86_64.tgz 557 | # splunk_uf_tgz_checksum: a3b7a7a111f13151392e931cc795361f 558 | 559 | # splunk_uf_version: 8.2.6 560 | # splunk_uf_tgz: splunkforwarder-8.2.6-a6fe1ee8894b-Linux-x86_64.tgz 561 | # splunk_uf_tgz_checksum: caa7d70e976c0c087312144d83edb3b0 562 | 563 | # splunk_uf_version: 8.2.5 564 | # splunk_uf_tgz: splunkforwarder-8.2.5-77015bc7a462-Linux-x86_64.tgz 565 | # splunk_uf_tgz_checksum: 3e28e3d2fddbb6e0654aaa6bf3e5a575 566 | 567 | # splunk_uf_version: 8.2.4 568 | # splunk_uf_tgz: splunkforwarder-8.2.4-87e2dda940d1-Linux-x86_64.tgz 569 | # splunk_uf_tgz_checksum: 417f2b98a103e925bb98503bc71299d3 570 | 571 | # splunk_uf_version: 8.2.3 572 | # splunk_uf_tgz: splunkforwarder-8.2.3-cd0848707637-Linux-x86_64.tgz 573 | # splunk_uf_tgz_checksum: ee442aadf2296a228ff399539746d5cc 574 | 575 | # splunk_uf_version: 8.2.2.1 576 | # splunk_uf_tgz: splunkforwarder-8.2.2.1-ae6821b7c64b-Linux-x86_64.tgz 577 | # splunk_uf_tgz_checksum: 9519e00c63bb0fdaa91c8f31c9ff0c87 578 | 579 | # splunk_uf_version: 8.2.2 580 | # splunk_uf_tgz: splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz 581 | # splunk_uf_tgz_checksum: 7fdb07550800cf965eabc26985e39da9 582 | 583 | # splunk_uf_version: 8.2.1 584 | # splunk_uf_tgz: splunkforwarder-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz 585 | # splunk_uf_tgz_checksum: 73f19e9023397ec6a5e1052bf163f0ee 586 | 587 | # splunk_uf_version: 8.2.0 588 | # splunk_uf_tgz: splunkforwarder-8.2.0-e053ef3c985f-Linux-x86_64.tgz 589 | # splunk_uf_tgz_checksum: 635dc5ce808f22234503218e8b6f6851 590 | 591 | # 8.1.x 592 | 593 | # splunk_uf_version: 8.1.4 594 | # splunk_uf_tgz: splunkforwarder-8.1.4-17f862b42a7c-Linux-x86_64.tgz 595 | # splunk_uf_tgz_checksum: c7dab10bcb04fc686cc3d3be41f088bb 596 | 597 | # splunk_uf_version: 8.1.3 598 | # splunk_uf_tgz: splunkforwarder-8.1.3-63079c59e632-Linux-x86_64.tgz 599 | # splunk_uf_tgz_checksum: 80768e388552a4a4f2491388511537a9 600 | 601 | # splunk_uf_version: 8.1.1 602 | # splunk_uf_tgz: splunkforwarder-8.1.1-08187535c166-Linux-x86_64.tgz 603 | # splunk_uf_tgz_checksum: 02e4a43e85fa96923e3a6ef652c85ed3 604 | 605 | # splunk_uf_version: 8.1.0 606 | # splunk_uf_tgz: splunkforwarder-8.1.0-f57c09e87251-Linux-x86_64.tgz 607 | # splunk_uf_tgz_checksum: 6a4e99c6287942feb0ad1e6b97a50721 608 | 609 | # 8.0.x 610 | 611 | # splunk_uf_version: 8.0.9 612 | # splunk_uf_tgz: splunkforwarder-8.0.9-153839c8b72f-Linux-x86_64.tgz) 613 | # splunk_uf_tgz_checksum: 9e13044cc2dff39bee3b3c3d2b5b9660 614 | 615 | # splunk_uf_version: 8.0.6 616 | # splunk_uf_tgz: splunkforwarder-8.0.6-152fb4b2bb96-Linux-x86_64.tgz 617 | # splunk_uf_tgz_checksum: a7ad4bcdfab8c33766e9f03bcb511fd5 618 | 619 | # splunk_uf_version: 8.0.5 620 | # splunk_uf_tgz: splunkforwarder-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz 621 | # splunk_uf_tgz_checksum: db03777c8207269c60cd7670eff97f06 622 | 623 | # splunk_uf_version: 8.0.4 624 | # splunk_uf_tgz: splunkforwarder-8.0.4-767223ac207f-Linux-x86_64.tgz 625 | # splunk_uf_tgz_checksum: 48a4f93e59fcb181affa6187fc32ae0b 626 | 627 | # splunk_uf_version: 8.0.3 628 | # splunk_uf_tgz: splunkforwarder-8.0.3-a6754d8441bf-Linux-x86_64.tgz 629 | # splunk_uf_tgz_checksum: 2d2a62ffd04e988901d3b5bae6b635f6 630 | 631 | # splunk_uf_version: 8.0.2.1 632 | # splunk_uf_tgz: splunkforwarder-8.0.2.1-f002026bad55-Linux-x86_64.tgz 633 | # splunk_uf_tgz_checksum: 30d8601f8f4a2d84608ed8ae340505c3 634 | 635 | # splunk_uf_version: 8.0.2 636 | # splunk_uf_tgz: splunkforwarder-8.0.2-a7f645ddaf91-Linux-x86_64.tgz 637 | # splunk_uf_tgz_checksum: 339be950b6e11341f30d7d8cdb88d921 638 | 639 | # splunk_uf_version: 8.0.1 640 | # splunk_uf_tgz: splunkforwarder-8.0.1-6db836e2fb9e-Linux-x86_64.tgz 641 | # splunk_uf_tgz_checksum: 87d3e366ac8a63abcd2e67186f7a1305 642 | 643 | # splunk_uf_version: 8.0.0 644 | # splunk_uf_tgz: splunkforwarder-8.0.0-1357bef0a7f6-Linux-x86_64.tgz 645 | # splunk_uf_tgz_checksum: c5dbe71dd4f19251a5fe82d3fd4a0e2a 646 | 647 | # 7.3.x 648 | 649 | # splunk_uf_version: 7.3.9 650 | # splunk_uf_tgz: splunkforwarder-7.3.9-39a78bf1bc5b-Linux-x86_64.tgz 651 | # splunk_uf_tgz_checksum: 8a97fb917eda1200f56effa05d910dd8 652 | 653 | # splunk_uf_version: 7.3.8 654 | # splunk_uf_tgz: splunkforwarder-7.3.8-bdc98854fc40-Linux-x86_64.tgz 655 | # splunk_uf_tgz_checksum: 1e22dcec172c6a3aed60e82346bb5e11 656 | 657 | # splunk_uf_version: 7.3.7.1 658 | # splunk_uf_tgz: splunkforwarder-7.3.7.1-d3f7cf7c5493-Linux-x86_64.tgz 659 | # splunk_uf_tgz_checksum: a8023dc855411c595ad284e3f9d77937 660 | 661 | # splunk_uf_version: 7.3.6 662 | # splunk_uf_tgz: splunkforwarder-7.3.6-47d8552a4d84-Linux-x86_64.tgz 663 | # splunk_uf_tgz_checksum: 27ea648afce02084eed1f2defb726d3c 664 | 665 | # splunk_uf_version: 7.3.4 666 | # splunk_uf_tgz: splunkforwarder-7.3.4-13e97039fb65-Linux-x86_64.tgz 667 | # splunk_uf_tgz_checksum: fa28674cb7aab7b521cbd7698274ccf2 668 | 669 | # splunk_uf_version: 7.3.3 670 | # splunk_uf_tgz: splunkforwarder-7.3.3-7af3758d0d5e-Linux-x86_64.tgz 671 | # splunk_uf_tgz_checksum: e1fe5174f5fa1c2d47cc41dd213f65a0 672 | 673 | # splunk_uf_version: 7.3.2 674 | # splunk_uf_tgz: splunkforwarder-7.3.2-c60db69f8e32-Linux-x86_64.tgz 675 | # splunk_uf_tgz_checksum: 874c1bf7670b8d2efcacb269adfb7cd7 676 | 677 | # splunk_uf_version: 7.3.1.1 678 | # splunk_uf_tgz: splunkforwarder-7.3.1.1-7651b7244cf2-Linux-x86_64.tgz 679 | # splunk_uf_tgz_checksum: 2f94314bf44458224ad38df73ce0669a 680 | 681 | # splunk_uf_version: 7.3.1 682 | # splunk_uf_tgz: splunkforwarder-7.3.1-bd63e13aa157-Linux-x86_64.tgz 683 | # splunk_uf_tgz_checksum: eb975c1465232af3f085907fe352b560 684 | 685 | # 7.2.x 686 | 687 | # splunk_uf_version: 7.2.6 688 | # splunk_uf_tgz: splunkforwarder-7.2.6-c0bf0f679ce9-Linux-x86_64.tgz 689 | # splunk_uf_tgz_checksum: c8a17478cf4dfe79c702744a529ec9ea 690 | -------------------------------------------------------------------------------- /hosts.sample: -------------------------------------------------------------------------------- 1 | 2 | [splunkhosts] 3 | my-host.splk.me ansible_host=172.16.1.1 4 | 5 | -------------------------------------------------------------------------------- /install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook deploys a basic Splunk Enterprise (Core) installation 3 | 4 | - name: Apply prereqs to all nodes 5 | hosts: all 6 | gather_facts: no 7 | roles: 8 | - prereqs 9 | 10 | - name: Install Splunk 11 | hosts: all 12 | roles: 13 | - core-install 14 | 15 | 16 | -------------------------------------------------------------------------------- /os-config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook performs basic OS level config 3 | 4 | - name: Apply prereqs to all nodes 5 | hosts: all 6 | gather_facts: no 7 | roles: 8 | - prereqs 9 | 10 | - name: Basic OS Configuration & Updates 11 | hosts: all 12 | roles: 13 | - os-config 14 | -------------------------------------------------------------------------------- /roles/backup-etc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create /home/{{ os_user }}/backups dir 4 | file: 5 | path: /home/{{ os_user }}/backups 6 | state: directory 7 | mode: '0755' 8 | owner: "{{ os_user }}" 9 | group: "{{ os_group }}" 10 | become: yes 11 | 12 | - name: Archive (tgz) {{ splunk_home }}/etc to /home/{{ os_user }}/backups 13 | archive: 14 | path: "{{ splunk_home }}/etc" 15 | dest: "/home/{{ os_user }}/backups/splunk-etc-temp.tgz" 16 | format: gz 17 | mode: '0644' 18 | owner: "{{ os_user }}" 19 | group: "{{ os_group }}" 20 | become: yes 21 | 22 | - name: Name backup file with timestamp 23 | command: mv /home/{{ os_user }}/backups/splunk-etc-temp.tgz /home/{{ os_user }}/backups/splunk-etc-{{ inventory_hostname }}-{{ lookup('pipe', 'date +"%Y-%m-%d--%H-%M-%S"') }}.tgz 24 | become: yes 25 | -------------------------------------------------------------------------------- /roles/backup-full/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create /home/{{ os_user }}/backups dir 4 | file: 5 | path: /home/{{ os_user }}/backups 6 | state: directory 7 | mode: '0755' 8 | owner: "{{ os_user }}" 9 | group: "{{ os_group }}" 10 | become: yes 11 | 12 | - name: Archive (tgz) {{ splunk_home }}/ to /home/{{ os_user }}/backups 13 | archive: 14 | path: "{{ splunk_home }}/" 15 | dest: "/home/{{ os_user }}/backups/splunk-full-temp.tgz" 16 | format: gz 17 | mode: '0644' 18 | owner: "{{ os_user }}" 19 | group: "{{ os_group }}" 20 | become: yes 21 | 22 | - name: Name backup file with timestamp 23 | command: mv /home/{{ os_user }}/backups/splunk-full-temp.tgz /home/{{ os_user }}/backups/splunk-full-{{ inventory_hostname }}-{{ lookup('pipe', 'date +"%Y-%m-%d--%H-%M-%S"') }}.tgz 24 | become: yes 25 | -------------------------------------------------------------------------------- /roles/core-install/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add "{{ os_group }}" group 4 | group: 5 | name: "{{ os_group }}" 6 | state: present 7 | become: yes 8 | 9 | - name: Add "{{ os_user }}" user with the home dir /home/{{ os_user }}/ 10 | user: 11 | name: "{{ os_user }}" 12 | group: "{{ os_group }}" 13 | home: /home/{{ os_user }}/ 14 | shell: /bin/bash 15 | comment: Splunk User 16 | become: yes 17 | 18 | - name: Create {{ splunk_home }} dir 19 | file: 20 | path: "{{ splunk_home }}" 21 | state: directory 22 | mode: '0755' 23 | owner: "{{ os_user }}" 24 | group: "{{ os_group }}" 25 | become: yes 26 | 27 | 28 | - name: -TGZ- Check for the presence of /home/{{ os_user }}/{{ splunk_tgz }} 29 | stat: 30 | path: /home/{{ os_user }}/{{ splunk_tgz }} 31 | get_checksum: yes 32 | checksum_algorithm: md5 33 | register: splunk_tgz_downloaded_flag 34 | become: yes 35 | 36 | - name: -TGZ- Download (wget) {{ splunk_tgz }} 37 | get_url: 38 | url: "https://download.splunk.com/products/splunk/releases/{{ splunk_version }}/linux/{{ splunk_tgz }}" 39 | checksum: "md5:{{ splunk_tgz_checksum }}" 40 | dest: /home/{{ os_user }} 41 | mode: '0640' 42 | owner: "{{ os_user }}" 43 | group: "{{ os_group }}" 44 | timeout: 20 45 | become: yes 46 | when: splunk_tgz_downloaded_flag.stat.exists == False and download_tgz_from_splunk_servers 47 | 48 | - name: -TGZ- Upload ./files/{{ splunk_tgz }} (local) to /home/{{ os_user }}/ (remote) 49 | copy: 50 | src: "files/{{ splunk_tgz }}" 51 | dest: /home/{{ os_user }} 52 | mode: '0640' 53 | owner: "{{ os_user }}" 54 | group: "{{ os_group }}" 55 | become: yes 56 | when: splunk_tgz_downloaded_flag.stat.exists == False and not download_tgz_from_splunk_servers 57 | 58 | - name: -TGZ- Extract {{ splunk_tgz }} to {{ splunk_home }} to install 59 | unarchive: 60 | src: /home/{{ os_user }}/{{ splunk_tgz }} 61 | dest: "{{ splunk_base_path }}" 62 | remote_src: yes 63 | owner: "{{ os_user }}" 64 | group: "{{ os_group }}" 65 | become: yes 66 | 67 | - name: "Create symlink to splunk in /usr/local/bin" 68 | file: 69 | src: "{{ splunk_home }}/bin/splunk" 70 | path: /usr/local/bin/splunk 71 | state: link 72 | owner: "{{ os_user }}" 73 | group: "{{ os_group }}" 74 | become: yes 75 | 76 | 77 | - name: -user-seed.conf- Create file for default admin creds 78 | template: 79 | src: user-seed.conf.j2 80 | dest: "{{ splunk_home }}/etc/system/local/user-seed.conf" 81 | become: yes 82 | 83 | - name: "-.ui_login- Touch {{ splunk_home }}/etc/.ui_login" 84 | file: 85 | path: "{{ splunk_home }}/etc/.ui_login" 86 | state: touch 87 | mode: '0644' 88 | owner: "{{ os_user }}" 89 | group: "{{ os_group }}" 90 | become: yes 91 | 92 | - name: -user-prefs.conf- Create file for default user/UI preferences 93 | template: 94 | src: user-prefs.conf.j2 95 | dest: "{{ splunk_home }}/etc/system/local/user-prefs.conf" 96 | become: yes 97 | 98 | - name: -ui-tour.conf- Create file to disable default search tour 99 | template: 100 | src: ui-tour.conf.j2 101 | dest: "{{ splunk_home }}/etc/system/local/ui-tour.conf" 102 | become: yes 103 | 104 | - name: -limits.conf- Set reasonable saved search limits (increased) for ES 105 | template: 106 | src: limits.conf.j2 107 | dest: "{{ splunk_home }}/etc/system/local/limits.conf" 108 | become: yes 109 | 110 | - name: -web.conf- Create file to disable SSL and set up file for additional adds 111 | template: 112 | src: web.conf.j2 113 | dest: "{{ splunk_home }}/etc/system/local/web.conf" 114 | become: yes 115 | 116 | - name: -web.conf- Disable auto update checking 117 | lineinfile: 118 | path: "{{ splunk_home }}/etc/system/local/web.conf" 119 | line: updateCheckerBaseURL = 0 120 | insertafter: '[settings]' 121 | become: yes 122 | when: not check_for_updates 123 | 124 | - name: -server.conf- Specify the WiredTiger KVstore storage engine in >= 8.1 125 | template: 126 | src: server.conf.j2 127 | dest: "{{ splunk_home }}/etc/system/local/server.conf" 128 | become: yes 129 | when: 130 | - splunk_version is version('8.1', '>=') 131 | 132 | - name: Set {{ splunk_home }} owner & group recursively 133 | file: 134 | path: "{{ splunk_home }}" 135 | state: directory 136 | owner: "{{ os_user }}" 137 | group: "{{ os_group }}" 138 | recurse: yes 139 | become: yes 140 | 141 | - name: Ensure default Splunk systemd unit file does not already exist 142 | file: 143 | path: /etc/systemd/system/Splunkd.service 144 | state: absent 145 | become: yes 146 | 147 | 148 | - name: -initd & Splunk 7.2.1 or earlier- Splunk enable boot-start 149 | command: "{{ splunk_home }}/bin/splunk enable boot-start -user {{ os_user }} --no-prompt --answer-yes --accept-license" 150 | become: yes 151 | when: 152 | - install_method == "initd" 153 | - splunk_version is version('7.2.1', '<=') 154 | 155 | - name: -initd & Splunk 7.2 or later- Splunk enable boot-start 156 | command: "{{ splunk_home }}/bin/splunk enable boot-start -systemd-managed 0 -user {{ os_user }} --no-prompt --answer-yes --accept-license" 157 | become: yes 158 | when: 159 | - install_method == "initd" 160 | - splunk_version is version('7.2.0', '>=') 161 | 162 | - name: -initd- Start Splunk for the first time 163 | command: "{{ splunk_home }}/bin/splunk start --no-prompt --answer-yes --accept-license" 164 | become: yes 165 | when: install_method == "initd" 166 | 167 | 168 | - name: -systemd & Splunk 7.2.2 to 7.2.x- Splunk enable boot-start (no systemd arguments added) 169 | command: "{{ splunk_home }}/bin/splunk enable boot-start -user {{ os_user }} --no-prompt --answer-yes --accept-license" 170 | become: yes 171 | when: 172 | - install_method == "systemd" 173 | - splunk_version is version('7.2.2', '>=') 174 | - splunk_version is version('7.3', '<') 175 | 176 | - name: -systemd & Splunk 7.3 to 8.1.0- Splunk enable boot-start (-systemd-managed 1) 177 | command: "{{ splunk_home }}/bin/splunk enable boot-start -systemd-managed 1 -user {{ os_user }} --no-prompt --answer-yes --accept-license" 178 | become: yes 179 | when: 180 | - install_method == "systemd" 181 | - splunk_version is version('7.3', '>=') 182 | - splunk_version is version('8.1.1', '<') 183 | 184 | - name: -systemd & Splunk 8.1.1 polkit- Install "polkit" for 8.1.1 or later on CentOS, RHEL, and Amazon Linux 185 | yum: 186 | name: polkit 187 | state: latest 188 | become: yes 189 | when: 190 | - install_method == "systemd" 191 | - splunk_version is version('8.1.1', '>=') 192 | - ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Amazon' 193 | 194 | - name: -systemd & Splunk 8.1.1 or later- Splunk enable boot-start (-systemd-managed 1) (-create-polkit-rules 1) 195 | command: "{{ splunk_home }}/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user {{ os_user }} --no-prompt --answer-yes --accept-license" 196 | become: yes 197 | when: 198 | - install_method == "systemd" 199 | - splunk_version is version('8.1.1', '>=') 200 | 201 | - name: -systemd & Ubuntu- Fix the /etc/systemd/system/Splunkd.service file for Ubuntu support 202 | replace: 203 | path: /etc/systemd/system/Splunkd.service 204 | regexp: '\/init.scope' 205 | replace: '' 206 | become: yes 207 | when: 208 | - install_method == "systemd" 209 | - ansible_distribution == "Ubuntu" 210 | 211 | - name: -systemd & Ubuntu- Fix the cgroups path reference in /etc/systemd/system/Splunkd.service (Ubuntu 22.04) 212 | replace: 213 | path: /etc/systemd/system/Splunkd.service 214 | regexp: '\/sys\/fs\/cgroup\/\w+' 215 | replace: '/sys/fs/cgroup' 216 | become: yes 217 | when: 218 | - install_method == "systemd" 219 | - ansible_distribution == "Ubuntu" 220 | - ansible_distribution_major_version >= "22" 221 | 222 | - name: -systemd & Ubuntu- After Splunkd.service update reload the systemd daemon units 223 | command: systemctl daemon-reload 224 | become: yes 225 | when: 226 | - install_method == "systemd" 227 | - ansible_distribution == "Ubuntu" 228 | 229 | - name: -systemd- Start Splunk for the first time 230 | command: "systemctl start Splunkd" 231 | become: yes 232 | when: 233 | - install_method == "systemd" 234 | -------------------------------------------------------------------------------- /roles/core-install/templates/limits.conf.j2: -------------------------------------------------------------------------------- 1 | [scheduler] 2 | max_searches_perc = 90 3 | auto_summary_perc = 100 4 | 5 | [kv] 6 | limit = 500 7 | indexed_kv_limit = 500 -------------------------------------------------------------------------------- /roles/core-install/templates/server.conf.j2: -------------------------------------------------------------------------------- 1 | [kvstore] 2 | storageEngine=wiredTiger -------------------------------------------------------------------------------- /roles/core-install/templates/ui-tour.conf.j2: -------------------------------------------------------------------------------- 1 | [search-tour] 2 | viewed = 1 3 | -------------------------------------------------------------------------------- /roles/core-install/templates/user-prefs.conf.j2: -------------------------------------------------------------------------------- 1 | [general] 2 | render_version_messages = 0 3 | dismissedInstrumentationOptInVersion = 4 4 | hideInstrumentationOptInModal = 1 5 | notification_python_3_impact = false 6 | -------------------------------------------------------------------------------- /roles/core-install/templates/user-seed.conf.j2: -------------------------------------------------------------------------------- 1 | [user_info] 2 | USERNAME = {{ splunk_user }} 3 | PASSWORD = {{ splunk_pass }} 4 | -------------------------------------------------------------------------------- /roles/core-install/templates/web.conf.j2: -------------------------------------------------------------------------------- 1 | [settings] 2 | max_upload_size = 1024 3 | enableSplunkWebSSL = 0 4 | -------------------------------------------------------------------------------- /roles/core-upgrade/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: -TGZ- Check for the presence of /home/{{ os_user }}/{{ splunk_tgz }} 4 | stat: 5 | path: /home/{{ os_user }}/{{ splunk_tgz }} 6 | get_checksum: yes 7 | checksum_algorithm: md5 8 | register: splunk_tgz_downloaded_flag 9 | become: yes 10 | 11 | - name: -TGZ- Download (wget) {{ splunk_tgz }} 12 | get_url: 13 | url: "https://download.splunk.com/products/splunk/releases/{{ splunk_version }}/linux/{{ splunk_tgz }}" 14 | checksum: "md5:{{ splunk_tgz_checksum }}" 15 | dest: /home/{{ os_user }} 16 | mode: '0640' 17 | owner: "{{ os_user }}" 18 | group: "{{ os_group }}" 19 | timeout: 20 20 | become: yes 21 | when: splunk_tgz_downloaded_flag.stat.exists == False and download_tgz_from_splunk_servers 22 | 23 | - name: -TGZ- Upload ./files/{{ splunk_tgz }} (local) to /home/{{ os_user }}/ (remote) 24 | copy: 25 | src: "files/{{ splunk_tgz }}" 26 | dest: /home/{{ os_user }} 27 | mode: '0640' 28 | owner: "{{ os_user }}" 29 | group: "{{ os_group }}" 30 | become: yes 31 | when: splunk_tgz_downloaded_flag.stat.exists == False and not download_tgz_from_splunk_servers 32 | 33 | 34 | - name: Check if Splunk has ever been run via initd 35 | stat: 36 | path: /etc/init.d/splunk 37 | register: initd_run_flag 38 | 39 | - name: Check if Splunk has ever been run via systemd 40 | stat: 41 | path: /etc/systemd/system/Splunkd.service 42 | register: systemd_run_flag 43 | 44 | - name: -initd- Stop Splunk pre-upgrade 45 | command: "{{ splunk_home }}/bin/splunk stop" 46 | become: yes 47 | when: initd_run_flag.stat.exists == True 48 | 49 | - name: -systemd- Stop Splunk pre-upgrade 50 | systemd: 51 | name: Splunkd 52 | state: stopped 53 | become: yes 54 | when: systemd_run_flag.stat.exists == True 55 | 56 | - name: Extract {{ splunk_tgz }} over {{ splunk_home }} to upgrade 57 | unarchive: 58 | src: /home/{{ os_user }}/{{ splunk_tgz }} 59 | dest: "{{ splunk_base_path }}" 60 | remote_src: yes 61 | owner: "{{ os_user }}" 62 | group: "{{ os_group }}" 63 | become: yes 64 | 65 | - name: -initd- Start Splunk for the first time post upgrade 66 | command: "{{ splunk_home }}/bin/splunk start --accept-license --answer-yes" 67 | become: yes 68 | when: 69 | - install_method == "initd" 70 | 71 | - name: -systemd- For initd -> systemd upgrades remove initd script 72 | command: "{{ splunk_home }}/bin/splunk disable boot-start --no-prompt --answer-yes --accept-license" 73 | become: yes 74 | when: 75 | - install_method == "systemd" 76 | 77 | - name: -systemd & Splunk 7.2- For initd -> systemd upgrade rebuild systemd script 78 | command: "{{ splunk_home }}/bin/splunk enable boot-start -user {{ os_user }}" 79 | become: yes 80 | when: 81 | - install_method == "systemd" 82 | - splunk_version is version('7.2.2', '>=') 83 | - splunk_version is version('7.3', '<') 84 | 85 | - name: -systemd & Splunk 7.3 to 8.1.0- For initd -> systemd upgrade rebuild systemd script (-systemd-managed 1) 86 | command: "{{ splunk_home }}/bin/splunk enable boot-start -systemd-managed 1 -user {{ os_user }} --no-prompt --answer-yes --accept-license" 87 | become: yes 88 | when: 89 | - install_method == "systemd" 90 | - splunk_version is version('7.3', '>=') 91 | - splunk_version is version('8.1.1', '<') 92 | 93 | - name: -systemd & Splunk 8.1.1 or later- For initd -> systemd upgrade rebuild systemd script (-systemd-managed 1) (-create-polkit-rules 1) 94 | command: "{{ splunk_home }}/bin/splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user {{ os_user }} --no-prompt --answer-yes --accept-license" 95 | become: yes 96 | when: 97 | - install_method == "systemd" 98 | - splunk_version is version('8.1.1', '>=') 99 | 100 | - name: -systemd & Ubuntu- Fix the /etc/systemd/system/Splunkd.service file for Ubuntu support 101 | replace: 102 | path: /etc/systemd/system/Splunkd.service 103 | regexp: '\/init.scope' 104 | replace: '' 105 | become: yes 106 | when: 107 | - install_method == "systemd" 108 | - ansible_distribution == "Ubuntu" 109 | 110 | - name: -systemd & Ubuntu- Fix the cgroups path reference in /etc/systemd/system/Splunkd.service (Ubuntu 22.04) 111 | replace: 112 | path: /etc/systemd/system/Splunkd.service 113 | regexp: '\/sys\/fs\/cgroup\/\w+' 114 | replace: '/sys/fs/cgroup' 115 | become: yes 116 | when: 117 | - install_method == "systemd" 118 | - ansible_distribution == "Ubuntu" 119 | - ansible_distribution_major_version >= "22" 120 | 121 | - name: -systemd & Ubuntu- After Splunkd.service update reload the systemd daemon units 122 | command: systemctl daemon-reload 123 | become: yes 124 | when: 125 | - install_method == "systemd" 126 | - ansible_distribution == "Ubuntu" 127 | 128 | - name: -systemd- Start Splunk for the first time post upgrade 129 | command: "systemctl start Splunkd" 130 | become: yes 131 | when: 132 | - install_method == "systemd" 133 | -------------------------------------------------------------------------------- /roles/os-config/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if cloud-init exists on this system 4 | stat: 5 | path: /etc/cloud/ 6 | register: cloud_init_exists 7 | 8 | - name: Tell cloud-init that its job is done (preserves hostname through reboots) 9 | file: 10 | path: /etc/cloud/cloud-init.disabled 11 | state: touch 12 | become: yes 13 | when: cloud_init_exists == True 14 | 15 | - name: Set the hostname as per the Ansible inventory file 16 | hostname: 17 | name: "{{ inventory_hostname }}" 18 | become: yes 19 | 20 | 21 | - name: Add "{{ os_group }}" group (so we can set ulimits) 22 | group: 23 | name: "{{ os_group }}" 24 | state: present 25 | become: yes 26 | 27 | - name: Add "{{ os_user }}" user with the home dir /home/{{ os_user }}/ (so we can set ulimits) 28 | user: 29 | name: "{{ os_user }}" 30 | group: "{{ os_group }}" 31 | home: /home/{{ os_user }}/ 32 | shell: /bin/bash 33 | comment: Splunk User 34 | become: yes 35 | 36 | 37 | - name: -ulimits- Set /etc/security/limits.conf for "{{ os_user }}" user 38 | template: 39 | src: limits.conf.j2 40 | dest: "/etc/security/limits.conf" 41 | become: yes 42 | 43 | 44 | - name: -THP- Install disable-thp script to be run at boot time 45 | template: 46 | src: disable-thp.j2 47 | dest: "/usr/local/bin/disable-thp" 48 | mode: '0754' 49 | become: yes 50 | 51 | - name: -THP- Install disable-thp systemd unit file 52 | template: 53 | src: disable-thp.service.j2 54 | dest: "/etc/systemd/system/disable-thp.service" 55 | mode: '0644' 56 | become: yes 57 | 58 | - name: -THP- Configure systemd to run disable-thp at boot time 59 | systemd: 60 | name: disable-thp 61 | enabled: yes 62 | masked: no 63 | become: yes 64 | 65 | - name: -THP- Run the disable-thp script 66 | command: /usr/local/bin/disable-thp 67 | become: yes 68 | 69 | 70 | - name: -firewalld- Check if /usr/sbin/firewalld exists 71 | stat: 72 | path: /usr/sbin/firewalld 73 | register: firewalld_flag 74 | 75 | - name: -firewalld- Allow tcp/8000 traffic through firewalld 76 | firewalld: 77 | port: "8000/tcp" 78 | permanent: yes 79 | state: enabled 80 | become: yes 81 | when: firewalld_flag.stat.exists == True 82 | 83 | - name: -firewalld- Reload firewalld rules while maintaining session state (be nice to Ansible) 84 | command: 85 | cmd: firewall-cmd --reload 86 | become: yes 87 | when: firewalld_flag.stat.exists == True 88 | 89 | 90 | - name: -iptables- Redirect 443 to 8000 (Ubuntu and Amazon Linux) 91 | command: iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8000 92 | become: yes 93 | when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Amazon' 94 | 95 | 96 | - name: -Ubuntu Updates- Run the equivalent of "apt-get update" as a separate step 97 | apt: 98 | update_cache: yes 99 | become: yes 100 | when: ansible_distribution == "Ubuntu" 101 | 102 | - name: -Ubuntu- Update all packages to the latest version "apt-get upgrade" 103 | apt: 104 | name: "*" 105 | state: latest 106 | autoremove: yes 107 | become: yes 108 | when: ansible_distribution == "Ubuntu" 109 | 110 | 111 | - name: -RedHat, CentOS, and Amazon Linux- Yum OS Package Updates 112 | yum: 113 | name: "*" 114 | state: latest 115 | become: yes 116 | when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Amazon' 117 | 118 | 119 | - name: -PolicyKit- Install PolicyKit using apt-get (supported in 8.1.1) 120 | apt: 121 | name: policykit-1 122 | state: latest 123 | become: yes 124 | when: ansible_distribution == "Ubuntu" 125 | 126 | - name: -PolicyKit- Install PolicyKit using yum (supported in 8.1.1) 127 | yum: 128 | name: polkit 129 | state: latest 130 | become: yes 131 | when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Amazon' 132 | -------------------------------------------------------------------------------- /roles/os-config/templates/disable-thp.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #SPLUNK: disable THP at boot time 4 | THP=`find /sys/kernel/mm/ -name transparent_hugepage -type d | tail -n 1` 5 | for SETTING in "enabled" "defrag";do 6 | if test -f ${THP}/${SETTING}; then 7 | echo never > ${THP}/${SETTING} 8 | fi 9 | done -------------------------------------------------------------------------------- /roles/os-config/templates/disable-thp.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=disable-thp script 3 | 4 | [Service] 5 | ExecStart=/usr/local/bin/disable-thp 6 | 7 | [Install] 8 | WantedBy=multi-user.target 9 | -------------------------------------------------------------------------------- /roles/os-config/templates/limits.conf.j2: -------------------------------------------------------------------------------- 1 | # /etc/security/limits.conf 2 | # 3 | # This file sets the resource limits for the users logged in via PAM. 4 | # It does not affect resource limits of the system services. 5 | # 6 | # Also note that configuration files in /etc/security/limits.d directory, 7 | # which are read in alphabetical order, override the settings in this 8 | # file in case the domain is the same or more specific. 9 | # That means for example that setting a limit for wildcard domain here 10 | # can be overriden with a wildcard setting in a config file in the 11 | # subdirectory, but a user specific setting here can be overriden only 12 | # with a user specific setting in the subdirectory. 13 | # 14 | # Each line describes a limit for a user in the form: 15 | # 16 | # 17 | # 18 | # Where: 19 | # can be: 20 | # - a user name 21 | # - a group name, with @group syntax 22 | # - the wildcard *, for default entry 23 | # - the wildcard %, can be also used with %group syntax, 24 | # for maxlogin limit 25 | # 26 | # can have the two values: 27 | # - "soft" for enforcing the soft limits 28 | # - "hard" for enforcing hard limits 29 | # 30 | # can be one of the following: 31 | # - core - limits the core file size (KB) 32 | # - data - max data size (KB) 33 | # - fsize - maximum filesize (KB) 34 | # - memlock - max locked-in-memory address space (KB) 35 | # - nofile - max number of open file descriptors 36 | # - rss - max resident set size (KB) 37 | # - stack - max stack size (KB) 38 | # - cpu - max CPU time (MIN) 39 | # - nproc - max number of processes 40 | # - as - address space limit (KB) 41 | # - maxlogins - max number of logins for this user 42 | # - maxsyslogins - max number of logins on the system 43 | # - priority - the priority to run user process with 44 | # - locks - max number of file locks the user can hold 45 | # - sigpending - max number of pending signals 46 | # - msgqueue - max memory used by POSIX message queues (bytes) 47 | # - nice - max nice priority allowed to raise to values: [-20, 19] 48 | # - rtprio - max realtime priority 49 | # 50 | # 51 | 52 | @{{ os_user }} hard core 0 53 | @{{ os_user }} hard maxlogins 10 54 | @{{ os_user }} soft nofile 65535 55 | @{{ os_user }} hard nofile 65535 56 | @{{ os_user }} soft nproc 20480 57 | @{{ os_user }} hard nproc 20480 58 | @{{ os_user }} soft fsize unlimited 59 | @{{ os_user }} hard fsize unlimited 60 | 61 | # End of file -------------------------------------------------------------------------------- /roles/prereqs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install python3 or python-minimal if not already available (ansible prereq) 4 | raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal) || (apt -qqy update && apt install -qy python3) || (yum -y install python2)" 5 | become: yes 6 | ignore_errors: yes 7 | -------------------------------------------------------------------------------- /roles/tls-config/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create {{ splunk_home }}/etc/auth/mycerts dir 4 | file: 5 | path: "{{ splunk_home }}/etc/auth/mycerts/" 6 | state: directory 7 | mode: '0755' 8 | owner: "{{ os_user }}" 9 | group: "{{ os_group }}" 10 | become: yes 11 | 12 | - name: -SSL Certs- Upload public key file (mycerts/cert.pem) 13 | copy: 14 | src: "certs/cert.pem" 15 | dest: "{{ splunk_home }}/etc/auth/mycerts/cert.pem" 16 | mode: '0640' 17 | owner: "{{ os_user }}" 18 | group: "{{ os_group }}" 19 | become: yes 20 | 21 | - name: -SSL Certs- Upload private key file (mycerts/privkey.pem) 22 | copy: 23 | src: "certs/privkey.pem" 24 | dest: "{{ splunk_home }}/etc/auth/mycerts/privkey.pem" 25 | mode: '0640' 26 | owner: "{{ os_user }}" 27 | group: "{{ os_group }}" 28 | become: yes 29 | 30 | 31 | - name: -config updates- Ensure $SPLUNK_HOME/etc/system/local/web.conf exists 32 | file: 33 | path: "{{ splunk_home }}/etc/system/local/web.conf" 34 | state: file 35 | owner: "{{ os_user }}" 36 | group: "{{ os_group }}" 37 | become: yes 38 | 39 | - name: -config updates- Ensure web.conf contains the [settings] stanza 40 | lineinfile: 41 | path: "{{ splunk_home }}/etc/system/local/web.conf" 42 | line: "[settings]" 43 | state: present 44 | become: yes 45 | 46 | - name: -config updates- Add serverCert attribute to [settings] 47 | lineinfile: 48 | path: "{{ splunk_home }}/etc/system/local/web.conf" 49 | regexp: '^serverCert = {{ splunk_home }}/etc/auth/mycerts/cert.pem' 50 | insertbefore: '^[settings]' 51 | line: 'serverCert = {{ splunk_home }}/etc/auth/mycerts/cert.pem' 52 | become: yes 53 | 54 | - name: -config updates- Add privKeyPath attribute to [settings] 55 | lineinfile: 56 | path: "{{ splunk_home }}/etc/system/local/web.conf" 57 | regexp: '^privKeyPath = {{ splunk_home }}/etc/auth/mycerts/privkey.pem' 58 | insertbefore: '^[settings]' 59 | line: 'privKeyPath = {{ splunk_home }}/etc/auth/mycerts/privkey.pem' 60 | become: yes 61 | 62 | - name: -config updates- Set enableSplunkWebSSL = 1 63 | replace: 64 | path: "{{ splunk_home }}/etc/system/local/web.conf" 65 | after: '[settings]' 66 | regexp: 'enableSplunkWebSSL = 0' 67 | replace: 'enableSplunkWebSSL = 1' 68 | become: yes 69 | 70 | 71 | - name: -initd- Restart splunkd to load the new key pair 72 | command: "{{ splunk_home }}/bin/splunk restart" 73 | become: yes 74 | when: 75 | - install_method == "initd" 76 | 77 | - name: -systemd- Restart splunkd to load the new key pair 78 | command: "systemctl restart Splunkd" 79 | become: yes 80 | when: 81 | - install_method == "systemd" -------------------------------------------------------------------------------- /roles/uf-config/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: -UF- Create outputs.conf for default log forwarding 4 | template: 5 | src: outputs.conf.j2 6 | dest: "{{ splunk_uf_home }}/etc/system/local/outputs.conf" 7 | become: yes 8 | 9 | - name: -DS- Set the deployment server name or IP 10 | command: "{{ splunk_uf_home }}/bin/splunk set deploy-poll {{ uf_deploy_server_address }}:{{ uf_deploy_server_port }} -auth {{ splunk_uf_user }}:{{ splunk_uf_pass }}" 11 | become: yes 12 | 13 | - name: -initd- Restart Splunk UF 14 | command: "{{ splunk_uf_home }}/bin/splunk restart" 15 | become: yes 16 | -------------------------------------------------------------------------------- /roles/uf-config/templates/outputs.conf.j2: -------------------------------------------------------------------------------- 1 | # 2 | # Forward _internal UF logs to indexer tier 3 | # https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata 4 | # 5 | 6 | # Turn off indexing on the search head 7 | [indexAndForward] 8 | index = false 9 | 10 | [tcpout] 11 | defaultGroup = my_search_peers 12 | forwardedindex.filter.disable = true 13 | indexAndForward = false 14 | 15 | [tcpout:my_search_peers] 16 | server={{ uf_forward_internal_logs_address }}:{{ uf_forward_internal_logs_port }} 17 | 18 | -------------------------------------------------------------------------------- /roles/uf-install/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add {{ os_group }} group 4 | group: 5 | name: "{{ os_group }}" 6 | state: present 7 | become: yes 8 | 9 | - name: Add {{ os_user }} user 10 | user: 11 | name: "{{ os_user }}" 12 | group: "{{ os_group }}" 13 | home: /home/{{ os_user }} 14 | shell: /bin/bash 15 | comment: Splunk User 16 | become: yes 17 | 18 | - name: Create {{ splunk_uf_home }} dir 19 | file: 20 | path: "{{ splunk_uf_home }}" 21 | state: directory 22 | mode: 0755 23 | owner: "{{ os_user }}" 24 | group: "{{ os_group }}" 25 | become: yes 26 | 27 | 28 | - name: -TGZ- Check for the presence of /home/{{ os_user }}/{{ splunk_uf_tgz }} 29 | stat: 30 | path: /home/{{ os_user }}/{{ splunk_uf_tgz }} 31 | get_checksum: yes 32 | checksum_algorithm: md5 33 | register: splunk_uf_tgz_downloaded_flag 34 | become: yes 35 | 36 | - name: -TGZ- Download (wget) {{ splunk_uf_tgz }} 37 | get_url: 38 | url: "https://download.splunk.com/products/universalforwarder/releases/{{ splunk_uf_version }}/linux/{{ splunk_uf_tgz }}" 39 | checksum: "md5:{{ splunk_uf_tgz_checksum }}" 40 | dest: /home/{{ os_user }} 41 | mode: 0640 42 | owner: "{{ os_user }}" 43 | group: "{{ os_group }}" 44 | timeout: 20 45 | become: yes 46 | when: splunk_uf_tgz_downloaded_flag.stat.exists == False and download_uf_tgz_from_splunk_servers 47 | 48 | - name: -TGZ- Upload ./files/{{ splunk_uf_tgz }} (local) to /home/{{ os_user }}/ (remote) 49 | copy: 50 | src: "files/{{ splunk_uf_tgz }}" 51 | dest: /home/{{ os_user }} 52 | mode: '0640' 53 | owner: "{{ os_user }}" 54 | group: "{{ os_group }}" 55 | become: yes 56 | when: splunk_uf_tgz_downloaded_flag.stat.exists == False and not download_uf_tgz_from_splunk_servers 57 | 58 | - name: -TGZ- Extract {{ splunk_uf_tgz }} to {{ splunk_uf_home }} to install 59 | unarchive: 60 | src: /home/{{ os_user }}/{{ splunk_uf_tgz }} 61 | dest: "{{ splunk_base_path }}" 62 | remote_src: yes 63 | owner: "{{ os_user }}" 64 | group: "{{ os_group }}" 65 | become: yes 66 | 67 | 68 | - name: Create user-seed.conf file for default admin creds 69 | template: 70 | src: user-seed.conf.j2 71 | dest: "{{ splunk_uf_home }}/etc/system/local/user-seed.conf" 72 | become: yes 73 | 74 | - name: Set {{ splunk_uf_home }} owner & group recursively 75 | file: 76 | path: "{{ splunk_uf_home }}" 77 | state: directory 78 | owner: "{{ os_user }}" 79 | group: "{{ os_group }}" 80 | recurse: yes 81 | become: yes 82 | 83 | 84 | - name: -initd- Splunk enable boot-start 85 | command: "{{ splunk_uf_home }}/bin/splunk enable boot-start -user {{ os_user }} --no-prompt --answer-yes --accept-license" 86 | become: yes 87 | 88 | - name: -initd- Start Splunk UF for the first time 89 | command: "{{ splunk_uf_home }}/bin/splunk start --no-prompt --answer-yes --accept-license" 90 | become: yes 91 | 92 | 93 | - name: "Create symlink to splunk in /usr/local/bin" 94 | file: 95 | src: "{{ splunk_uf_home }}/bin/splunk" 96 | path: /usr/local/bin/splunk 97 | state: link 98 | owner: "{{ os_user }}" 99 | group: "{{ os_group }}" 100 | become: yes -------------------------------------------------------------------------------- /roles/uf-install/templates/user-seed.conf.j2: -------------------------------------------------------------------------------- 1 | [user_info] 2 | USERNAME = {{ splunk_uf_user }} 3 | PASSWORD = {{ splunk_uf_pass }} 4 | -------------------------------------------------------------------------------- /roles/uf-upgrade/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Ensure {{ splunk_uf_home }} dir exists 4 | file: 5 | path: "{{ splunk_uf_home }}" 6 | state: directory 7 | mode: 0755 8 | owner: "{{ os_user }}" 9 | group: "{{ os_group }}" 10 | become: yes 11 | 12 | - name: -initd- Stop the UF 13 | command: "{{ splunk_uf_home }}/bin/splunk stop" 14 | become: yes 15 | 16 | 17 | - name: Check for the presence of /home/{{ os_user }}/{{ splunk_uf_tgz }} 18 | stat: 19 | path: /home/{{ os_user }}/{{ splunk_uf_tgz }} 20 | get_checksum: yes 21 | checksum_algorithm: md5 22 | register: splunk_uf_tgz_downloaded_flag 23 | become: yes 24 | 25 | - name: -TGZ- Download (wget) {{ splunk_uf_tgz }} 26 | get_url: 27 | url: "https://download.splunk.com/products/universalforwarder/releases/{{ splunk_uf_version }}/linux/{{ splunk_uf_tgz }}" 28 | checksum: "md5:{{ splunk_uf_tgz_checksum }}" 29 | dest: /home/{{ os_user }} 30 | mode: 0640 31 | owner: "{{ os_user }}" 32 | group: "{{ os_group }}" 33 | timeout: 20 34 | become: yes 35 | when: splunk_uf_tgz_downloaded_flag.stat.exists == False and download_uf_tgz_from_splunk_servers 36 | 37 | - name: -TGZ- Upload ./files/{{ splunk_uf_tgz }} (local) to /home/{{ os_user }}/ (remote) 38 | copy: 39 | src: "files/{{ splunk_uf_tgz }}" 40 | dest: /home/{{ os_user }} 41 | mode: '0640' 42 | owner: "{{ os_user }}" 43 | group: "{{ os_group }}" 44 | become: yes 45 | when: splunk_uf_tgz_downloaded_flag.stat.exists == False and not download_uf_tgz_from_splunk_servers 46 | 47 | - name: Extract {{ splunk_uf_tgz }} to {{ splunk_uf_home }} to upgrade 48 | unarchive: 49 | src: /home/{{ os_user }}/{{ splunk_uf_tgz }} 50 | dest: "{{ splunk_base_path }}" 51 | remote_src: yes 52 | owner: "{{ os_user }}" 53 | group: "{{ os_group }}" 54 | become: yes 55 | 56 | - name: Set {{ splunk_uf_home }} owner & group recursively 57 | file: 58 | path: "{{ splunk_uf_home }}" 59 | state: directory 60 | owner: "{{ os_user }}" 61 | group: "{{ os_group }}" 62 | recurse: yes 63 | become: yes 64 | 65 | 66 | - name: -initd- Splunk enable boot-start 67 | command: "{{ splunk_uf_home }}/bin/splunk enable boot-start -user {{ os_user }} --no-prompt --answer-yes --accept-license" 68 | become: yes 69 | 70 | - name: -initd- Start Splunk UF for the first time 71 | command: "{{ splunk_uf_home }}/bin/splunk start --no-prompt --answer-yes --accept-license" 72 | become: yes 73 | 74 | 75 | - name: "Create symlink to splunk in /usr/local/bin" 76 | file: 77 | src: "{{ splunk_uf_home }}/bin/splunk" 78 | path: /usr/local/bin/splunk 79 | state: link 80 | owner: "{{ os_user }}" 81 | group: "{{ os_group }}" 82 | become: yes -------------------------------------------------------------------------------- /tls-config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook configures a Splunk instance to use a 3rd party SSL/TLS key pair. 3 | 4 | - name: Apply prereqs to all nodes 5 | hosts: all 6 | gather_facts: no 7 | roles: 8 | - prereqs 9 | 10 | - name: Apply SSL/TLS cert to web UI port (default tcp/8000) 11 | hosts: all 12 | roles: 13 | - tls-config 14 | -------------------------------------------------------------------------------- /uf-combo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook installs AND configures the Splunk UF. 3 | # Note: This works differently from regular combo.yml. 4 | # We do not automatically run os-config.yml for a UF OS 5 | # but it certainly can be run manually if needed. 6 | 7 | - name: Apply prereqs to all nodes 8 | hosts: all 9 | gather_facts: no 10 | roles: 11 | - prereqs 12 | 13 | - name: Install Splunk Universal Forwarder 14 | hosts: all 15 | roles: 16 | - uf-install 17 | 18 | - name: Configure Splunk Universal Forwarder 19 | hosts: all 20 | roles: 21 | - uf-config 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /uf-config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook configures an already installed UF (uf-install.yml) to: 3 | # 1) Connect to the deployment server. 4 | # 2) Forward _internal logs to the indexer tier. 5 | 6 | - name: Apply prereqs to all nodes 7 | hosts: all 8 | gather_facts: no 9 | roles: 10 | - prereqs 11 | 12 | - name: Configure Splunk Universal Forwarder 13 | hosts: all 14 | roles: 15 | - uf-config 16 | -------------------------------------------------------------------------------- /uf-install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook deploys a basic Splunk Universal Forwarder installation 3 | 4 | - name: Apply prereqs to all nodes 5 | hosts: all 6 | gather_facts: no 7 | roles: 8 | - prereqs 9 | 10 | - name: Install Splunk Universal Forwarder 11 | hosts: all 12 | roles: 13 | - uf-install 14 | -------------------------------------------------------------------------------- /uf-upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook upgrades the Splunk Universal Forwarder 3 | 4 | - name: Apply prereqs to all nodes 5 | hosts: all 6 | gather_facts: no 7 | roles: 8 | - prereqs 9 | 10 | - name: Upgrade Splunk Universal Forwarder 11 | hosts: all 12 | roles: 13 | - uf-upgrade 14 | -------------------------------------------------------------------------------- /upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook upgrades a basic Splunk Enteprise (Core) installation 3 | 4 | - name: Upgrade Splunk 5 | hosts: all 6 | roles: 7 | - core-upgrade 8 | 9 | 10 | --------------------------------------------------------------------------------