Does splunk play nice with puppet?

Question

I'd like to able to install and configure the log forwarder using puppet. What needs to be done to make that happen?

Accepted Answer

Puppet works very well with Splunk. You should configure a Puppet package to push the Splunk installer out to the forwarder, along with some base installation items such as the forwarder license, a script to enable the service at boot, and a matched set of $SPLUNK_HOME/etc/auth/, $SPLUNK_HOME/etc/passwd, and $SPLUNK_HOME/etc/system/local/server.conf files to set a password for the forwarder's Splunk admin user. (You could also include a matched authorize.conf file for LDAP integration instead if desired.)

On top of that, you can then push the forwarder-specific configuration files and apps that are necessary to run as a forwarder.

If you have many classes of Splunk forwarder, or other classes of Splunk server, you can create separate packages for each one to push a different set of configurations. I do recommend that you organize the configuration sets using Splunk apps, and group the apps into Puppet packages by server class.

Answer 2

Here is my current (working) manifest! (v.2)

class splunk::forwarder { $mod = "splunk"

service {

  "splunk":
     ensure     => running,
     enable     => true,
     hasrestart => true,
     hasstatus  => false,
     pattern    => "splunkd",
     subscribe  => [
        Package["splunk"],
        File["/opt/splunk/etc/apps/unix"],
        File["/opt/splunk/etc/apps/SplunkLightForwarder"],
        File["/etc/init.d/splunk"]
     ]

}

package {

  "splunk":
      ensure  => installed,

}

file {

  "/opt/splunk/etc/splunk.license":
     mode    => "644",
     owner   => "splunk",
     group   => "splunk",
     backup  => true,
     ensure  => present,
     require => Package["splunk"],
     source  => "puppet:///modules/$mod/noarch/opt/splunk/etc/splunk-forwarder.license";

  "/etc/init.d/splunk":
     mode    => "700",
     owner   => "root",
     group   => "root",
     ensure  => present,
     require => Package["splunk"],
     source  => "puppet:///modules/$mod/noarch/etc/init.d/splunk";

  "/opt/splunk/etc/passwd":
     mode     => "600",
     owner    => "root",
     group    => "root",
     backup   => true,
     ensure   => present,
     require  => Package["splunk"],
     source   => "puppet:///modules/$mod/noarch/opt/splunk/etc/passwd";

  "/opt/splunk/etc/auth":
     owner   => "splunk",
     group   => "splunk",
     mode    => "600",
     recurse => true,
     purge   => false,
     require => Package["splunk"],
     source  => "puppet:///modules/$mod/noarch/opt/splunk/etc/auth";

  "/opt/splunk/etc/apps/unix":
     owner   => "splunk",
     group   => "splunk",
     recurse => true,
     purge   => false,
     require => Package["splunk"],
     source  => "puppet:///modules/$mod/noarch/opt/splunk/etc/apps/unix";

  "/opt/splunk/etc/apps/SplunkLightForwarder":
     owner   => "splunk",
     group   => "splunk",
     recurse => true,
     purge   => false,
     require => Package["splunk"],
     source  => "puppet:///modules/$mod/noarch/opt/splunk/etc/apps/SplunkLightForwarder",

}

Answer 3

2

This is a great question! I'm writing a puppet manifest to deploy my forwarders based on this answer. However I can't seem to get the forwarder license right. I'm copying "splunk-forwarder.license" into splunk.license" but I still get a EULA on first start... is there something i'm missing? I'd be happy to post my manifest here as an example once I'm finished!

Thanks!

link

answered 15 Aug '10, 19:06

thartmann
121●8
accept rate: 0%

I'm using just the init script (/etc/init.d/splunk start|stop|restart) to start the forwarder, I suppose I could edit the script after it's created, but I was hoping there was a better way to accept, or place the license. I'm trying create an automated deploy with puppet, for our standard builds.

(15 Aug '10, 22:00) thartmann

1

as pde23 says, yeah, just edit the script and add the flags --accept-license --no-prompt --answer-yes to the default start command. Then just push out that script using puppet. Don't use have puppet execute ./splunk enable boot-start, that's not as nice. You could add the --accept-license etc flags to the command if you have puppet execute it, but I prefer just pushing files as it easier to specify a specific end-state that way than by running commands.

(15 Aug '10, 23:45) gkanapathy ♦

1

Awesome! I think that will work well! I'll post my current manifest! Thanks much guys!

(16 Aug '10, 20:44) thartmann

Answer 4

2	When you start your forwarder, are you using `$SPLUNK_HOME/bin/splunk start --accept-license` to tell it not to give you the EULA? link answered 15 Aug '10, 19:24 pde23 53●5 accept rate: 0%

Answer 5

1	A more complete Splunk class for Puppet, to turn most nodes into lightweight forwarders (and one indexer), can be found at Github: http://bit.ly/dhvN36. The class is based on hexx0's SSL tutorial. link answered 18 Nov '10, 22:20 lisa 11●1 accept rate: 0%

Answer 6

-3

Splunk does NOT work well with puppet. There are quite a number of files that are auto-generated by Splunk, and re-pushing out the old files with puppet will break Splunk. Also, if you deploy all the files you need with puppet, when you start Splunk for the first time, it thinks your doing an upgrade. Don't know what the repurcusions of that might be.

link

answered 02 Dec '10, 23:39

dgarstang
5●2
accept rate: 0%

it should be fine as long as you get your required order proper and make sure not to overwrite anything that would be changed during normal operations of splunk. I'm planning on writing a splunk module to deploy universal forwarders and I don't see any reason why it con't be done.

(06 Apr, 08:20) infinitiguy

Does splunk play nice with puppet?

Follow this question

Splunk Resources

Related questions