-
Notifications
You must be signed in to change notification settings - Fork 11
Basic Configuration
dubiousOne edited this page Feb 15, 2016
·
21 revisions
Ansible Playbook for Splunk configuration consists of different parts:
- Inventory (Hosts)
- Splunk Installation Configuration
- Splunk Instance Configuration (See Chapter Splunk Configuration)
- Splunk Application Configuration (See Chapter Splunk Application Configuration)
Before configurations can be deployed, an inventory has to be set up. The inventory file can be located anywhere, but it is suggested to either place it within the playbook itself or the ansible installation root directory (e.g. /etc/ansible/hosts).
Splunk systems are grouped by functionality. Group Naming follows Splexicon definitions with a few extensions.
| Group Name | Description | Mandatory |
|---|---|---|
| repository | The node containing the playbook repository | Yes |
| shcmember | Search Head Cluster Members | Yes, when shclustering is used |
| searchhead | Standalone-Searchhead | No |
| searchpeer | Non-clustered search peers | No |
| peernode | Clustered search peers | No |
| licensemaster | License Master | Yes |
| deployer | Search Head Cluster Deployer | Yes, when shclustering is used |
| masternode | Indexer Cluster Masternode | Yes, when clustering is used |
| deploymentserver | Deployment Server | No |
| dmc | Distributed Management Console | No |
| site0 | Hosts in site0 | Yes, when multi-site clustering/shclustering is used |
| site1 | Hosts in site1 | Yes, when multi-site clustering/shclustering is used |
| site1 | Hosts in site1 | Yes, when multi-site clustering/shclustering is used |
| shcluster | All members of a Search Head Cluster | Yes, when shclustering is used |
| cluster | All members of an Indexer Cluster | Yes, when clustering is used |
| heavyforwarder | Heavyforwarders | No |
Note: Currently only one instance of a Search Head Clusters and Indexer Clusters is supported. Therefore groups should not be renamed
A sample inventory file has been provided (hosts_production.template):
[repository]
localhost ansible_connection=local
[shcmember]
searchhead1.private.domain
searchhead2.private.domain
searchhead3.private.domain
[searchhead]
searchhead.private.domain
[searchpeer]
[peernode]
indexer1.private.domain
indexer2.private.domain
[licensemaster]
licensemaster.private.domain
[deployer]
deployer.private.domain
[masternode]
masternode.private.domain
[deploymentserver]
deploymentserver.private.domain
[dmc]
dmc.private.domain
[site0]
masternode.private.domain
dmc.private.domain
[site1]
searchhead1.private.domain
searchhead2.private.domain
indexer1.private.domain
[site2]
searchhead3.private.domain
indexer2.private.domain
[shcluster]
deployer.private.domain
searchhead1.private.domain
searchhead2.private.domain
searchhead3.private.domain
[cluster]
masternode.private.domain
indexer1.private.domain
indexer2.private.domain
[heavyforwarder]
heavyforwarder1.private.domainSplunk Installation Configuration consists of different parts:
- Splunk Packages: Locations for Splunk Packages
- Splunk Installation: Splunk Installation Information
- Splunk Configuration: Splunk Configuration Information
The Splunk Packages configuration is stored under group_vars/all/splunk_packages and has the following format:
########################################################
#
# Possible values for all/splunk_packages group_vars
#
########################################################
splunk_packages:
linux_64_rpm:
* 64-bit Linux RPM Packages
* Optional
package:
version: <version>
* Version Number
url: <url>
* Package Source URL
package:
...
* List of packages
linux_64_tgz:
* 64-bit Linux TGZ Packages
* Optional
package:
version: <version>
* Version Number
url: <url>
* Package Source URL
package:
...
* List of packages---
#####################################################################################################################
# Splunk Package Variables
#####################################################################################################################
splunk_packages:
linux_64_rpm:
package:
version: 6.3.1
url: "http://download.splunk.com/products/splunk/releases/6.3.1/splunk/linux/splunk-6.3.1-f3e41e4b37b2-linux-2.6-x86_64.rpm"
package:
version: 6.3.2
url: "http://download.splunk.com/products/splunk/releases/6.3.2/splunk/linux/splunk-6.3.2-aaff59bb082c-linux-2.6-x86_64.rpm"
linux_64_tgz:
package:
version: "6.3.1"
url: "http://download.splunk.com/products/splunk/releases/6.3.1/splunk/linux/splunk-6.3.1-f3e41e4b37b2-Linux-x86_64.tgz"
package:
version: "6.3.2"
url: "http://download.splunk.com/products/splunk/releases/6.3.2/splunk/linux/splunk-6.3.2-aaff59bb082c-Linux-x86_64.tgz"
The Splunk Installation configuration is stored under group_vars/all/splunk_installation and has the following format:
########################################################
#
# Possible values for all/splunk_installation group_vars
#
########################################################
splunk_installation:
splunk_home_path:
* Mandatory
* Typically /opt/splunk
version: <version>
* Optional / Not used yet
* Version number to be installed
ssh_public_key: <string>
* Optional
* The SSH public key Ansible uses to connect to Splunk hosts
package_format: [rpm|tgz]
* Mandatory
* The package format used to install Splunk
package_file: <filename>
* Mandatory
* The file name of the Splunk package. Files has to exist in <splunk_repository>/packages
remote_package_temp_path: <path>
* Mandatory
* The path where Ansible copies the Splunk package to
* Typcially /tmp
delete_package_after_install: <boolean>
* Mandatory
* Should the remote Splunk Packages be deleted after installation
remote_app_temp_path: <path>
* Mandatory
* The path where Ansible copies the apps to
* Typically /tmp
admin_password: <string>
* Mandatory
* The Splunk admin password in cleartext
* Use Ansible Vault to keep this protected
splunk_secret: <string>
* Mandatory
* The splunk.secret in cleartext
* Use Ansible Vault to keep this protected
firewalld_open_port:
port: "<portnumber1>/tcp"
port: "<portnumber2>/tcp"
...
port: "<portnumberN>/tcp"
* Optional
* List of ports to open, if firewalld is used.---
#####################################################################################################################
# Installation Variables
#####################################################################################################################
splunk_installation:
splunk_home_path: /opt/splunk
version: 6.3.1
ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnC6DzjkQjCXTMRqEWELAeehSldjqAemn3NflE6NKQ/wp7ekO6krRxALTBp3sD4wllCw7IRFkVPDpII29PszGxc/JL53yV2RgYRhzSxdDG5FuTKhS5FKRuQuoPPj3Y8qm1ZBxk+9W3Z/BWP593lkgLQ1v4ykO68p53+QCLy4Up1+Noyw3sRwpgx12OzDcIvjzZ2s8DjmApwXg23YB/TVS7OWG1A4AVVUa4cKq7CXnbY/uVluUnI7jUeOW1bsLnrgCuSbInxEyGmG/tcEm/2PAp22arTjpOEBvUNjdIwy6/Dhx4679pKh+KATjHpkM+iNWmy/zkl28Iv798pt8k+Zf7 root@linuxmint"
package_format: rpm
package_file: splunk-6.3.1-f3e41e4b37b2-linux-2.6-x86_64.rpm
remote_package_temp_path: /tmp
delete_package_after_install: false
remote_app_temp_path: /tmp
admin_password: verysecret
splunk_secret: 9uaY9Z02G69pWDMd6lUQGRISmgoRllMloZTsUf3EN/aV4Tp2F5EZynoNYEyEakTrrFhnUrti/f23DdziWTGU6WGJkPnJ07uxYDByH0dLKMjWjpPGxeOZ5WHt3D3dF5qyryO27KBWJ3ZWBMfUow85cX/0RHRIQv3C28q8R7m17YUVhsv6b8CVfG/kWIVqTdpcR.jElzKYv75X2GdRgvLyBDWLC7KplnOgmaiZ0bfpaNlEV.Yp4acowkHqH4USRb
firewalld_open_port:
port: "8000/tcp"
port: "8089/tcp"
port: "9997/tcp"
port: "9888/tcp"The Splunk Configuration definition file is stored under group_vars/all/splunk_configuration and has the following format:
#########################################################
#
# Possible values for all/splunk_configuration group_vars
#
#########################################################
splunk_conf_path: <path>
* Path, where to write configuration items. Typically /opt/splunk/etc/system/local```---
#####################################################################################################################
# General Conf Variables
#####################################################################################################################
splunk_conf_path: /opt/splunk/etc/system/localThe README/templates [README/templates] (https://github.com/my2ndhead/ansible_playbook_splunk/tree/master/README/templates/group_vars) directory contains example configurations to set up a full-blown multisite cluster/shcluster environment.
The configs can be taken as a starting point.
Ansible Playbook for Splunk by Mika Borner CC BY-NC-SA 4.0