This cookbook manages a Splunk Universal Forwarder (client) or a Splunk Enterprise (server) installation, including a Splunk clustered environment.
The Splunk default user is admin and the password is changeme. See the
setup_auth
recipe below for more information about how to manage
changing the password with Chef and Chef Vault.
This recipe downloads packages from Splunk directly. There are attributes to set a URL to retrieve the packages, so if the packages are mirrored locally, supply the local URL instead. At this time the cookbook doesn't support installing from networked package managers (like apt or yum), since Splunk doesn't provide package repositories.
Chef 12.1+
This cookbook uses Test Kitchen to do cross-platform convergence and post-convergence tests. The tested platforms are considered supported. This cookbook may work on other platforms or platform versions with or without modification.
- Debian 7
- Ubuntu 12.04, 14.04
- CentOS 6
- OmniOS r151008
Used for managing secrets, see Usage:
- chef-vault
Attributes have default values set in attributes/default.rb
. Where
possible or appropriate, the default values from Splunk Enterprise are
used.
General attributes:
node['splunk']['accept_license']
: Whether to accept the Splunk EULA. Default is false. This must be set to true for Splunk to be functional with this cookbook, which means end users must read the EULA and agree to the terms.node['splunk']['is_server']
: Set this to true if the node is a splunk server, for example in a role. Default is false.node['splunk']['disabled']
: Disable the splunk agent by setting this to true. Default is false.node['splunk']['receiver_port']
: The port that the receiver (server) listens to. This is set to the Splunk Enterprise default, 9997.node['splunk']['mgmt_port']
: The port that splunkd service listens to, aka the management port. This is set to the Splunk Enterprise default, 8089.node['splunk']['web_port']
: The port that the splunkweb service listens to. This is set to the default for HTTPS, 443, as it is configured by thesetup_ssl
recipe.node['splunk']['ratelimit_kilobytessec']
: The default splunk rate limiting rate can now easily be changed with an attribute. Default is 2048KBytes/sec.
The two URL attributes below are selected by platform and architecture by default.
node['splunk']['forwarder']['url']
: The URL to the Splunk Universal Forwarder package file.node['splunk']['server']['url']
: The URL to the Splunk Enterprise package file.
Special attributes for managing the Splunk user:
node['splunk']['user']
: A hash of attributes to set for the splunk user resource in theuser
recipe. It's unlikely that someone would need to change these, other than the UID, but just in case...
username
: the usernamecomment
: gecos fieldhome
: the home directory, defaults to/opt/splunkforwarder
, will be set to/opt/splunk
ifnode['splunk']['is_server']
is true.shell
: the shell to useuid
: the numeric UID. The default,396
is an integer arbitrarily chosen and doesn't conflict with anything on the supported platforms (see list above). It is within thesystem
UID range on Linux systems.
node['splunk']['server']['runasroot']
: if runasroot is true (which is the splunk upstream package default) then the splunk server runs as root. If runasroot is false modify the init script to run as thenode['splunk']['user']
. This does not apply to the splunk client as they may need root permissions to read logfiles. NOTE1: you may also need to changenode['splunk']['web_port']
on a splunk server to run on a port >1024 if you don't run as root (splunk user cannot bind to privelaged ports). NOTE2: If you want to switch from root to the splunk user or vice versa on an existing install, please stop the splunk service first before changing the runasroot boolean value.
The following attributes are related to setting up splunkweb
with
SSL in the setup_ssl
recipe.
node['splunk']['ssl_options']
: A hash of SSL options used in thesetup_ssl
recipenode['splunk']['ssl_options']['enable_ssl']
: Whether to enable SSL, must be set totrue
to use thesetup_ssl
recipe. Defaults tofalse
, must be set using a boolean literaltrue
orfalse
.node['splunk']['ssl_options']['data_bag']
: The data bag name to load, defaults tovault
(as chef-vault is used).node['splunk']['ssl_options']['data_bag_item']
: The data bag item name that contains the keyfile and crtfile, defaults tosplunk_certificates
.node['splunk']['ssl_options']['keyfile']
: The name of the SSL key file, and the content will be written toetc/auth/splunkweb/KEYFILE
. Must be an element underdata
in the data bag item. See Usage for instructions. Defaults to 'self-signed.example.com.key
', and should be changed to something relevant for the local site before use, in a role or wrapper cookbook.node['splunk']['ssl_options']['crtfile']
: The name of the SSL cert (crt) file, and the content will be written to/etc/auth/splunkweb/CRTFILE
. Must be an element underdata
in the data bag item. See Usage for instructions. Defaults to 'self-signed.example.com.crt
', and should be changed to something relevant for the local site before use, in a role or wrapper cookbook.
The following attributes are related to setting up a Splunk server with indexer
clustering in the setup_clustering
recipe:
-
node['splunk']['clustering']
: A hash of indexer clustering configurations used in thesetup_clustering
recipe -
node['splunk']['clustering']['enabled']
: Whether to enable indexer clustering, must be set totrue
to use thesetup_clustering
recipe. Defaults tofalse
, must be a boolean literaltrue
orfalse
. -
node['splunk']['clustering']['num_sites']
: The number of sites in the cluster. Multisite is enabled automatically if num_sites > 1. Defaults to 1, must be a positive integer. -
node['splunk']['clustering']['mode']
: The clustering mode of the node within the indexer cluster. Must be set using string literal 'master', 'slave', or 'searchhead'. -
node['splunk']['clustering']['replication_port']
: The replication port of the cluster peer member. Only valid whennode['splunk']['clustering']['mode']='slave'
. Defaults to 9887. -
For single-site clustering (
node['splunk']['clustering']['num_sites']
= 1):node['splunk']['clustering']['replication_factor']
: The replication factor of the indexer cluster. Defaults to 3, must be a positive integer. Only valid whennode['splunk']['clustering']['mode']='master'
andnode['splunk']['clustering']['num_sites']
=1 (single-site clustering).node['splunk']['clustering']['search_factor']
: The search factor of the indexer cluster. Only valid whennode['splunk']['clustering']['mode']='master'
andnode['splunk']['clustering']['num_sites']
=1 (single-site clustering). Defaults to 2, must be a positive integer.
-
For multisite clustering (
node['splunk']['clustering']['num_sites']
> 1):node['splunk']['clustering']['site']
: The site the node belongs to. Valid values include site1 to site63node['splunk']['clustering']['site_replication_factor']
: The per-site replication policy of any given bucket. This is represented as a comma-separated list of per-site entries. Only valid whennode['splunk']['clustering']['mode']='master'
and multisite is true. Defaults to 'origin:2,total:3'. Refer to Splunk Admin docs for exact syntax and more details.node['splunk']['clustering']['site_search_factor']
: The per-site search policy for searchable copies for any given bucket. This is represented as a comma-separated list of per-site entires. Only valid whennode['splunk']['clustering']['mode']='master'
and multisite is true. Defaults to 'origin:1,total:2'. Refer to Splunk Admin docs for exact syntax and more details.
The following attributes are related to setting up a Splunk server with search head
clustering in the setup_shclustering
recipe:
node['splunk']['shclustering']
: A hash of search head clustering configurations used in thesetup_shclustering
recipenode['splunk']['shclustering']['enabled']
: Whether to enable search head clustering, must be set totrue
to use thesetup_shclustering
recipe. Defaults tofalse
, must be a boolean literaltrue
orfalse
.node['splunk']['shclustering']['mode']
: The search head clustering mode of the node within the cluster. This is used to determine if the node needs to bootstrap the shcluster and initialize the node as the captain. Must be set using string literal 'member' or 'captain'.node['splunk']['shclustering']['label']
: The label for the shcluster. Used to differentiate from other shclusters in the environment. Must be a string. Defaults toshcluster1
. captain election. Must be set using string literal 'member' or 'captain'.node['splunk']['shclustering']['replication_factor']
: The replication factor of the shcluster. Defaults to 3, must be a positive integer.node['splunk']['shclustering']['replication_port']
: The replication port of the shcluster members. Defaults to 9900.node['splunk']['shclustering']['deployer_url']
: The management url for the shcluster deployer server, must be set to a string such as:https://deployer.domain.tld:8089
. This attribute is optional. Defaults to empty.node['splunk']['shclustering']['mgmt_uri']
: The management url for the shcluster member node, must be set to a string such as:https://shx.domain.tld:8089
. You can use the node's IP address instead of the FQDN if desired. Defaults tohttps://#{node['fqdn']}:8089
.node['splunk']['shclustering']['shcluster_members']
: An array of all search head cluster members referenced by theirmgmt_uri
. Currently this will do a Chef search for nodes that are in the same environment, with search head clustering enabled, and with the same cluster label. Alternatively, this can be hard-coded with a list of all shcluster members including the current node. Must be an array of strings. Defaults to an empty array.
The following attributes are related to setting up a splunk forwarder
with the client
recipe
node['splunk']['outputs_conf']
is a hash of configuration values that are used to dynamically populate the outputs.conf
file's "tcpout:splunk_indexers_PORT
" configuration section. Each key/value pair in the hash is used as configuration in the file. For example the attributes/default.rb
has this:
default['splunk']['outputs_conf'] = {
'forwardedindex.0.whitelist' => '.*',
'forwardedindex.1.blacklist' => '_.*',
'forwardedindex.2.whitelist' => '_audit',
'forwardedindex.filter.disable' => 'false'
}
This will result in the following being rendered in outputs.conf
:
[tcpout:splunk_indexers_9997]
server=10.0.2.47:9997
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
As an example of outputs_conf
attribute usage, to add an sslCertPath
directive, define the attribute in your role or wrapper cookbook as such:
node.default['splunk']['outputs_conf']['sslCertPath'] = '$SPLUNK_HOME/etc/certs/cert.pem'
The server
attribute in tcpout:splunk_indexers_9997
stanza above is populated by default from Chef search results for Splunk servers, or, alternatively, is statically defined in node attribute node['splunk']['server_list']
.
node['splunk']['server_list']
is an optional comma-separated listed of server IPs and the ports. It's only applicable when there are no Splunk servers managed by Chef, e.g. sending data to Splunk Cloud which has managed indexers.
For example:
node.default['splunk']['server_list'] = '10.0.2.47:9997, 10.0.2.49:9997'
node['splunk']['inputs_conf']
is a hash of configuration values that are used to populate the inputs.conf
file.
node['splunk']['inputs_conf']['host']
: A string that specifies the default host name used in the inputs.conf file. The inputs.conf file is not overwritten if this is not set or is an empty string.node['splunk']['inputs_conf']['ports']
: An array of hashes that contain the input port configuration necessary to generate the inputs.conf file.
For example:
node.default['splunk']['inputs_conf']['ports'] = [
{
port_num => 123123,
config => {
'sourcetype' => 'syslog'
}
}
]
The following attributes are related to upgrades in the upgrade
recipe. Note The version is set to 4.3.7 and should be modified to
suit in a role or wrapper, since we don't know what upgrade versions
may be relevant. Enabling the upgrade and blindly using the default
URLs may have undesirable consequences, hence this is not enabled, and
must be set explicitly elsewhere on the node(s).
node['splunk']['upgrade_enabled']
: Controls whether the upgrade is enabled and theattributes/upgrade.rb
file should be loaded. Set this in a role or wrapper cookbook to perform an upgrade.node['splunk']['upgrade']
: Setsserver_url
andforwarder_url
attributes based on platform and architecture. These are only loaded ifupgrade_enabled
is set.
The Splunk Enterprise and Splunk Universal Forwarder package
installation is the same save the name of the package and the URL to
download. This definition abstracts the package installation to a
common baseline. Any new platform installation support should be added
by modifying the definition as appropriate. One goal of this
definition is to have a single occurance of a package
resource,
using the appropriate "local package file" provider per platform. For
example, on RHEL, we use rpm
and on Debian we use dpkg
.
Package files will be downloaded to Chef's file cache path (e.g.,
file_cache_path
in /etc/chef/client.rb
, /var/chef/cache
by
default).
The definition has two parameters.
name
: The name of the package (e.g.,splunk
).url
: The URL to the package file.
For example, if the nodes in the environment are all Debian-family,
and the desired splunkforwarder package is provided locally as
splunkforwarder.deb
on an internal HTTP server:
splunk_installer 'splunkforwarder' do
url 'https://www-int.example.com/splunk/splunkforwarder.deb'
end
The install_forwarder
and install_server
recipes use the
definition with the appropriate url
attribute.
This cookbook has several composable recipes that can be used in a
role, or a local "wrapper" cookbook. The default
, client
, and
server
recipes are intended to be used wholesale with all the
assumptions they contain.
The general default assumption is that a node including the default
recipe will be a Splunk Universal Forwarder (client).
This recipe encapsulates a completely configured "client" - a Splunk
Universal Forwarder configured to talk to a node that is the splunk
server (with node['splunk']['is_server'] true). The recipes can be
used on their own composed in a wrapper cookbook or role. This recipe
will include the user
, install_forwarder
, service
, and
setup_auth
recipes.
It will also search a Chef Server for a Splunk Enterprise (server)
node with splunk_is_server:true
in the same chef_environment
and
write out etc/system/local/outputs.conf
with the server's IP and the
receiver_port
attribute in the Splunk install directory
(/opt/splunkforwarder
).
Setting node['splunk']['outputs_conf'] with key value pairs updates the outputs.conf server configuration with those key value pairs. These key value pairs can be used to setup SSL encryption on messages forwarded through this client:
# Note that the ssl CA and certs must exist on the server.
node['splunk']['outputs_conf'] = {
'sslCommonNameToCheck' => 'sslCommonName',
'sslCertPath' => '$SPLUNK_HOME/etc/certs/cert.pem',
'sslPassword' => 'password'
'sslRootCAPath' => '$SPLUNK_HOME/etc/certs/cacert.pem'
'sslVerifyServerCert' => false
}
The inputs.conf file can also be managed through this recipe if you want to setup a splunk forwarder just set the default host:
node['splunk']['inputs_conf']['host'] = 'myhost'
Then set up the port configuration for each input port:
node['splunk']['inputs_conf']['ports'] =
[
{
port_num => 123123,
config => {
'sourcetype' => 'syslog',
...
}
},
...
]
The default recipe will include the disabled
recipe if
node['splunk']['disabled']
is true.
It will include the client
or server
recipe depending on whether
the is_server
attribute is set.
The attribute use allows users to control the included recipes by easily manipulating the attributes of a node, or a node's roles, or through a wrapper cookbook.
In some cases it may be required to disable Splunk on a particular
node. For example, it may be sending too much data to Splunk and
exceed the local license capacity. To use the disabled
recipe, set
the node['splunk']['disabled']
attribute to true, and include the
recipe on the required node, or just use the default
recipe.
This recipe uses the splunk_installer
definition to install the
splunkforwarder package from the specified URL (via the
node['splunk']['forwarder']['url']
attribute).
This recipe uses the splunk_installer
definition to install the
splunk (Enterprise server) package from the specified URL (via the
node['splunk']['server']['url']
attribute).
This recipe encapsulates a completely configured "server" - Splunk
Enterprise configured to receive data from Splunk Universal Forwarder
clients. The recipe sets the attribute node['splunk']['is_server']
to true, and is included from the default
recipe if the attribute is
true as well. The recipes can be used on their own composed in a
wrapper cookbook or role, too. This recipe will include the user
,
install_server
, service
, and setup_auth
recipes. It will also
conditionally include the setup_ssl
and setup_clustering
recipes
if enabled via the corresponding node attributes, as defined
in Attributes above.
It will also enable Splunk Enterprise as an indexer, listening on the
node['splunk']['receiver_port']
.
This recipe sets up the splunk
service, and applies to both client
and server use, since splunk
is the same service for both
deployments of Splunk.
The attribute node['splunk']['accept_license']
must be true in order
to set up the boot script. If it's true, then the boot script gets put
into place (/etc/init.d/splunk
on Linux/Unix systems), with the
license accepted. The service is managed using the Chef init
service
provider, which operates by using the /etc/init.d/splunk
script for
start, stop, restart, etc commands.
This recipe loads an encrypted data bag with the Splunk user
credentials as an -auth
string, 'user:password
', using the
chef-vault cookbook helper method,
chef_vault_item
. See Usage for how to set this up. The recipe
will edit the specified user (assuming admin
), and then write a
state file to etc/.setup_admin_password
to indicate in future Chef
runs that it has set the password. If the password should be changed,
then that file should be removed.
This recipe sets up Splunk indexer clustering based on the node's
clustering mode or node['splunk']['clustering']['mode']
. The attribute
node['splunk']['clustering']['enabled']
must be set to true in order to
run this recipe. Similar to setup_auth
, this recipes loads
the same encrypted data bag with the Splunk secret
key (to be shared among
cluster members), using the chef-vault cookbook
helper method, chef_vault_item
. See Usage for how to set this up. The
recipe will edit the cluster configuration, and then write a state file to
etc/.setup_cluster_{master|slave|searchhead}
to indicate in future Chef
runs that it has set the node's indexer clustering configuration. If cluster
configuration should be changed, then that file should be removed.
It will also search a Chef Server for a Splunk Enterprise (server)
node of type cluster master, that is with splunk_clustering_enable:true
and
splunk_clustering_mode:master
in the same chef_environment
and
use that server's IP when configuring a cluster search head or a cluster
peer node to communicate with the cluster master (Refer to master_uri
attribute
of clustering stanza in etc/system/local/server.conf
).
Indexer clustering is used to achieve some data availability & recovery. To learn more about Splunk indexer clustering, refer to Splunk Docs.
This recipe sets up Splunk search head clustering. The attribute
node['splunk']['shclustering']['enabled']
must be set to true in order to
run this recipe. Similar to setup_auth
, this recipes loads
the same encrypted data bag with the Splunk secret
key (to be shared among
cluster members), using the chef-vault cookbook
helper method, chef_vault_item
. See Usage for how to set this up. The
recipe will edit the cluster configuration, and then write a state file to
etc/.setup_shcluster
to indicate in future Chef runs that it has set the node's
search head clustering configuration. If cluster configuration should be changed,
then that file should be removed.
It will also search a Chef Server for a Splunk Enterprise (server)
node of type cluster master, that is with splunk_shclustering_enable:true
and
the same splunk_shclustering_label
in the same chef_environment
and
use that server's IP when building the list of shcluster_members
.
The search head cluster configuration is deployed as a custom Splunk app that
is written to etc/apps/0_autogen_shcluster_config
to take advantage of Splunk's
built in config layering. All nodes with splunk_shclustering_enable:true
will
receive this app.
On the first Chef run on a node with splunk_shclustering_mode:captain
, this recipe
will build and execute the Splunk command to bootstrap the search head cluster and
initiate the captain election process.
In addition to using this recipe for configuring the search head cluster members, you
will also have to manually configure a search head instance to serve as the
search head cluster's deployer. This is done by adding a [shclustering]
stanza to
that instance's etc/system/local/server.conf
with the same pass4SymmKey = <secret>
and the same shcluster_label = <splunk_shclustering_label>
. This deployer is optional, but should be configured prior to
running the bootstrap on the captain and then the search head cluster member nodes
configured with this deployer node's mgmt_uri set in the member node's splunk_shclustering_deployer_url
Search head clustering is used to achieve high availability & scaling. To learn more about Splunk search head clustering, refer to Splunk Docs.
Important Read the upgrade documentation and release notes for any particular Splunk version upgrades before performing an upgrade. Also back up the Splunk directory, configuration, etc.
This recipe can be used to upgrade a splunk installation, for example
from an existing 4.2.1 to 4.3.7. The default recipe can be used for
6.0.1 after upgrading earlier versions is completed. Note that the
attributes file is only loaded w/ the URLs to the splunk packages to
upgrade if the node['splunk']['upgrade_enabled']
attribute is set to
true. We recommend setting the actual URL attributes needed in a
wrapper cookbook or role.
This recipe manages the splunk
user and group. On Linux systems, the
user and group will be created with the system
attribute; other
platforms may not be aware of system
users/groups (e.g.,
illumos/solaris). Both resources will be created with the UID or GID
of the node['splunk']['user']['uid']
attribute. The default value is
396, arbitrarily chosen to fall under the system
UID/GID set by
/etc/login.defs
on both RHEL and Debian family Linux systems. If
this is a conflicting UID/GID, then modify the attribute as required.
Splunk secret key and admin user authentication information should be stored in a
data bag item that is encrypted using Chef Vault. Create a data bag
named vault
, with an item splunk_CHEF-ENVIRONMENT
, where
CHEF-ENVIRONMENT
is the node.chef_environment
that the Splunk
Enterprise server will be assigned. If environments are not used, use
_default
. For example in a Chef Repository (not in a cookbook):
% cat data_bags/vault/splunk__default.json
{
"id": "splunk__default",
"auth": "admin:notarealpassword",
"secret": "notarealsecret"
}
Or with an environment, 'production
':
% cat data_bags/vault/splunk_production.json
{
"id": "splunk_production",
"auth": "admin:notarealpassword",
"secret": "notarealsecret"
}
Then, upload the data bag item to the Chef Server using the
chef-vault
knife encrypt
plugin (first example, _default
environment):
knife encrypt create vault splunk__default \
--json data_bags/vault/splunk__default.json \
--search 'splunk:*' --admins 'yourusername' \
--mode client
More information about Chef Vault is available on the GitHub Project Page.
A Splunk server should have the Web UI available via HTTPS. This can be set up using self-signed SSL certificates, or "real" SSL certificates. This loaded via a data bag item with chef-vault. Using the defaults from the attributes:
% cat data_bags/vault/splunk_certificates.json
{
"id": "splunk_certificates",
"data": {
"self-signed.example.com.crt": "-----BEGIN CERTIFICATE-----\n...SNIP",
"self-signed.example.com.key": "-----BEGIN RSA PRIVATE KEY-----\n...SNIP"
}
}
Like the authentication credentials above, run the knife encrypt
command. Note the search here is for the splunk server only:
knife encrypt create vault splunk_certificates \
--json data_bags/vault/splunk_certificates.json \
--search 'splunk_is_server:true' --admins 'yourusername' \
--mode client
- Author: Joshua Timberman joshua@chef.io
- Copyright 2013, Chef Software, Inc legal@chef.io
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.