-
Notifications
You must be signed in to change notification settings - Fork 3
/
deploy_splunk_enterprise.sh
187 lines (161 loc) · 9.7 KB
/
deploy_splunk_enterprise.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#!/bin/sh
# Written by Aleem Cummins - Splunk Study Club
# aleem@cummins.me
# https://github.com/SplunkStudyClub/splunk-on-aws
# Example usage
# sudo bash deploy_splunk_enterprise.sh -p /opt -h sh01 -v 8.1.2 -b 545206cc9f70 -c true -d true -s true
# Script is coded for x86_64 on Linux. This can be updated as necessary
#Apply script arguments
echo "Number of parameters passed to this script is $#"
while getopts p:h:v:b:c:d:s: flag
do
case "${flag}" in
p) SPLUNK_PARENT_FOLDER=${OPTARG};;
h) SPLUNK_SERVER_NAME=${OPTARG};;
v) SPLUNK_SERVER_VERSION=${OPTARG};;
b) SPLUNK_SERVER_BUILD=${OPTARG};;
c) CREATE_DNS_CRON_JOB=${OPTARG};;
d) UPDATE_DNS=${OPTARG};;
s) SLIM_DOWN=${OPTARG};;
esac
done
# Prepare script variables
SCRIPT_ABSOLUTE_PATH=$(dirname $(readlink -f $0))
SCRIPT_NAME=${0##*/}
echo "SCRIPT_ABSOLUTE_PATH="$SCRIPT_ABSOLUTE_PATH
SPLUNK_INSTALLER="splunk-"$SPLUNK_SERVER_VERSION"-"$SPLUNK_SERVER_BUILD"-Linux-x86_64.tgz"
SPLUNK_HOME=$SPLUNK_PARENT_FOLDER"/splunk"
SERVER_CONF=$SPLUNK_HOME"/etc/system/local/server.conf"
REMOTE_SERVER_APP_FOLDER=$SPLUNK_HOME"/etc/apps"
INDEXES_CONF=$SPLUNK_PARENT_FOLDER"/splunk/etc/system/local/indexes.conf"
DNS_UPDATE_SCRIPT=$SCRIPT_ABSOLUTE_PATH"/update_splunk_dns.sh"
DNS_LOG_FILE=$SCRIPT_ABSOLUTE_PATH"/update_splunk_dns.log"
SPLUNK_PLATFORM="linux"
SPLUNK_ARCHITECTURE="x86_64"
SPLUNK_PRODUCT="splunk"
# Displaying the last modified time of scripts can be useful to avoid confusion when updating and testing
echo "======================================================================================================================================="
echo $(clear)
LAST_MODIFIED_DATE_EPOCH=$(stat -c %Y $SCRIPT_ABSOLUTE_PATH"/"$SCRIPT_NAME)
LAST_MODIFIED_DATE=$(date -d @$LAST_MODIFIED_DATE_EPOCH)
echo "Script Last Modified:" $LAST_MODIFIED_DATE "("$SCRIPT_ABSOLUTE_PATH"/"$SCRIPT_NAME")"
echo "======================================================================================================================================="
# Check if Splunk is already deployed
# This is to prevent an existing Splunk instance being overwritten by mistake
# To remove and existing instance the following commands are useful
# sudo $SPLUNK_HOME/bin/splunk stop;# sudo rm -rf $SPLUNK_HOME
# This code could be updated to also check if a universal forwarder may be already installed as a learning opportunity
if [ -f $SERVER_CONF ]; then
SPLUNK_INSTANCE_VERSION=`sudo $SPLUNK_HOME/bin/splunk version`
SPLUNK_SERVERNAME=`grep serverName $SERVER_CONF | sed 's/[ ][ ]*//g' | cut -c 12- | sed -e 's/\(.*\)/\L\1/'` || fail
echo "Splunk Enterprise "$SPLUNK_INSTANCE_VERSION" is already installed on this instance with serverName of "$SPLUNK_SERVERNAME" specified in "$SERVER_CONF
echo "Aborting Install"
echo "The existing instance can be removed with the following commands"
echo $SPLUNK_HOME"/bin/splunk stop;rm -rf "$SPLUNK_HOME
echo "sudo may be required dpending on the ownship of "$SPLUNK_HOME
echo "Run ls -l "$SPLUNK_HOME" to check permissions"
echo "Executing these command will permanently destroy all settings and all data from the existing instance"
echo "CRON jobs created for previous testing can be examined as removed as necessary by running following command"
echo "crontab -e"
echo "Do not run these commands unless you are fully authorised and fully approved to do so and undertand to the consequences"
exit
else
echo "Splunk Enterprise "$SPLUNK_SERVER_VERSION" ("$SPLUNK_SERVER_BUILD") will now be deployed to " $SPLUNK_PARENT_FOLDER"/splunk"
fi
# Retrieve the user that executed this script even if sudo command was used
AWS_USERNAME="${SUDO_USER:-$USER}"
# It is best practice to create user account to use to run Splunk with non root privileges
# For this script the username from the SSH login is being used for deployment
# Other scripts from the Splunk Study Club GitHub respositiry cover best practice in full
# Updating this script for cater for best practice is a good learing opportunity and is why we have done it this way
# The user account name and user account group could be passed as arguments
# See create_splunk_base_apps.sh in the GitHub repository for an example of this
echo "Splunk will be configured to run under the user "$AWS_USERNAME
echo "Creating Splunk Home Folder "$SPLUNK_HOME
sudo mkdir -p $SPLUNK_HOME
echo "Downloading Splunk installer ("$SPLUNK_INSTALLER") to " $SPLUNK_INSTALLER_PATH
SPLUNK_INSTALLER_PATH=$SCRIPT_ABSOLUTE_PATH"/"$SPLUNK_INSTALLER
sudo wget -O $SPLUNK_INSTALLER_PATH "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture="$SPLUNK_ARCHITECTURE"&platform="$SPLUNK_PLATFORM"&version="$SPLUNK_SERVER_VERSION"&product="$SPLUNK_PRODUCT"&filename="$SPLUNK_INSTALLER"&wget=true"
#check if file has been downloaded
if [ -f $SPLUNK_INSTALLER_PATH ]; then
echo "Installer downloaded successfully to " $SPLUNK_INSTALLER_PATH
else
echo "Download has failed for: " $SPLUNK_INSTALLER_PATH
echo "Aborting Install"
exit
fi
echo "Extracting Splunk installation file to " $SPLUNK_HOME
sudo tar -xvf $SCRIPT_ABSOLUTE_PATH"/"$SPLUNK_INSTALLER -C $SPLUNK_PARENT_FOLDER
echo "Deleting Splunk installer ("$SPLUNK_INSTALLER")"
sudo rm -r $SCRIPT_ABSOLUTE_PATH"/"$SPLUNK_INSTALLER || fail
echo "Start Install Splunk as root user"
echo "Splunk will prompt for a new admin password"
sudo $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes
echo "Changing ownership of "$SPLUNK_HOME" to "$AWS_USERNAME
sudo $SPLUNK_HOME/bin/splunk stop
sudo chown -R $AWS_USERNAME $SPLUNK_HOME
echo "Starting Splunk as a Non-Root OS User ("$AWS_USERNAME")"
sudo -H -u $AWS_USERNAME $SPLUNK_HOME/bin/splunk start
echo "Enable Splunk on Boot as OS user "$AWS_USERNAME
sudo $SPLUNK_HOME/bin/splunk enable boot-start -user $AWS_USERNAME
if [ "$SLIM_DOWN" = true ] ; then
echo "Slimming down Splunk instance to fit t2.micro default storage of 8GiB"
#on a free tier AWS reduce limit for free disk space before stop indexing to 500MB as default size of t2.micro instance is 8GiB
sudo $SPLUNK_HOME/bin/splunk set minfreemb 500
# Reduce the index sizes for the default indexes from 500GB to 500MB as default size of imstance in 8GiB
# /etc/system/local/indexes.conf
INDEX_SIZE=500
echo "[main]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_audit]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_internal]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_introspection]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_metrics]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_metrics_rollup]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_telemetry]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[_thefishbucket]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[history]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[splunklogger]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
echo "[summary]" >> $INDEXES_CONF ; echo "maxTotalDataSizeMB = "$INDEX_SIZE >> $INDEXES_CONF ; echo -e "" >> $INDEXES_CONF
else
echo "Not slimming down Splunk instance"
fi
echo "Enabling SSL on DEFAULT port 8000 to connect to "$SPLUNK_SERVER_NAME
echo "Port 443 is not set as any port below 1000 requires root access to it and splunk is running as non-root user "$AWS_USERNAME
sudo $SPLUNK_HOME/bin/splunk enable web-ssl
echo "Setting serverName and default-hostname to "$SPLUNK_SERVER_NAME
sudo $SPLUNK_HOME/bin/splunk set servername $SPLUNK_SERVER_NAME
sudo $SPLUNK_HOME/bin/splunk set default-hostname $SPLUNK_SERVER_NAME
echo "Restart Splunk sizing updates to be applied"
sudo $SPLUNK_HOME/bin/splunk restart
if [ "$UPDATE_DNS" = true ] ; then
echo "Executing DNS Update Script " $DNS_UPDATE_SCRIPT
source $DNS_UPDATE_SCRIPT -l $DNS_LOG_FILE
echo "Finished executing DNS Update Script " $DNS_UPDATE_SCRIPT
else
echo "DNS updating was not requested"
fi
if [ "$CREATE_DNS_CRON_JOB" = true ] ; then
echo "A CRON job is being created for the DNS updates at 5 minute intervals"
# Create a CRON job for updating DNS every 5 minutes
# The script places the script in the home folder of the SSH user
# Updating this script for cater for best practice in the location of update_splunk_dns.sh is a good learning opportunity
CRON_CMD=$SCRIPT_ABSOLUTE_PATH"/cron_cmd.txt"
crontab -l > $CRON_CMD
# echo new cron into cron file
echo "*/5 * * * * sudo bash "$DNS_UPDATE_SCRIPT -l $DNS_LOG_FILE >> $CRON_CMD
# install new cron file
crontab $CRON_CMD
rm $CRON_CMD
else
echo "CRON job creation was not requested"
fi
echo "";echo ""
echo "---------------------------------------------"
echo "Splunk Enterprise "$SPLUNK_VERSION" has been successfully installed at "$SPLUNK_HOME" and is running as OS user "$AWS_USERNAME
SERVER_CONF=$SPLUNK_HOME"/etc/system/local/server.conf"
SPLUNK_SERVERNAME=`grep serverName $SERVER_CONF | sed 's/[ ][ ]*//g' | cut -c 12- | sed -e 's/\(.*\)/\L\1/'`
echo "Splunk Server Name has been set to " $SPLUNK_SERVERNAME" in "$SERVER_CONF
echo ""
echo "Splunk web can be reached at "$SPLUNK_WEB_URL
echo "Best wishes from Splunk Study Club";echo ""
echo "---------------------------------------------"