Install the Splunk Universal Forwarder to forward your logs to Splunk.
See the full Salt Formulas installation and usage instructions
- splunkforwarder
- splunkforwarder.certs
- splunkforwarder.forwarder
- splunkforwarder.intermediate-forwarder
- splunkforwarder.secret
Install Splunk Universal Forwarder and all its dependencies, then start the service.
If you configured splunkforwarder:intermediate = True, this includes the splunkforwarder.intermediate-forwarder recipe.
Install SSL certificates.
Install Splunk Unversal Forwarder and start the service.
Configure Splunk Universal Forwarder to be an intermediate forwarder. E.g. it accepts forwarded logs from other servers and forwards them further upstream.
Install shared Splunk secret.
What version of Splunk Universal Forwarder are you installing?
Example:
splunkforwarder:
version: 6.2.0The name of the package you are installing.
Example:
splunkforwarder:
package_filename: splunkforwarder-6.2.0-237341-linux-2.6-amd64.debThe checksum of the file you're installing.
Example:
splunkforwarder:
source_hash: sha256=xxxxxxThis URL must contain a trailing slash.
Splunk does not make their packages available for public download. You must login to your Splunk account, download the package you want, and put it on your own HTTP/FTP/S3/whatever server for your machines to access.
This is the base URL where you put the images.
Example:
splunkforwarder:
download_base_url: http://your.domain.com/downloads/This is a list of servers to forward to. Splunk will treat these like a round-robin and will forward to all of the servers in the list. If/when one goes down the others will get the traffic.
Example:
splunkforwarder:
forward_servers:
- 1.2.3.4:9998
- 1.2.4.5:9998At least 1 server is required, presumably you can configure as many as you like.
This is a dictionary containing all of the files you want to monitor. The name of the dictionary is not used other than to guarantee uniqueness of each entry (a Salt constraint).
There is 1 required entry in each, monitor which is used in Splunk's inputs.conf monitor stanza.
Here again this should be unique and it can contain any characters that Splunk will accept as a
monitoring stanza.
Any additional entries are added directly to the [monitor] stanza in Splunk.
Example:
splunkforwarder:
inputs:
monitor:
nginx-error-log:
monitor: /var/log/nginx/error.log
index: search
sourcetype: nginx_error_logResulting Splunk inputs.conf Stanza:
[monitor:///var/log/nginx/error.log]
index = search
sourcetype = nginx_error_log
Default = False
Set it to True if you want this machine to accept incoming connections from other Splunk forwarders to be forwarded on upstream.
This is a shared secret across all your splunk forwarders. It allows for the password encryption to yield the same result across your servers, so you can store your password encrypted in your pillar.
Your Splunk password. If you know the encrypted version, use it.
If you don't know the encrypted version, put it in plain text. See the section figuring out your encrypted passwords below to see how to determine what your encrypted password is.
Your Splunk password. If you know the encrypted version, use it.
If you don't know the encrypted version, put it in plain text. See the section figuring out your encrypted passwords below to see how to determine what your encrypted password is.
Each of the SSL certificates you need to install.
Example:
splunk:
certs:
cacert.pem:
content: |
-----BEGIN CERTIFICATE-----
xxxxxxYourCertificateHerexxxxxx
-----END CERTIFICATE-----
selfsignedcert.pem:
content: |
-----BEGIN CERTIFICATE-----
xxxxxxYourCertificateHerexxxxxx
-----END CERTIFICATE-----Note that you don't have to use a selfsignedcert.pem, you can use a real cert
if you have one. In that case you must configure
splunk:self_cert_filename to match the name of the
cert you added here in lieu of selfsignedcert.pem.
Default = selfsignedcert.pem
Name of the SSL cert used by the current machine to talk to other machines. If you have real certs, replace this with the name of your cert.
NOTE: The cert named here MUST exist in splunk:certs:{{name}}:content so
we can install that cert on the Splunk server. Either that, or you must
manually install it into /opt/splunkforwarder/etc/certs/{{name}} before
you try installing splunkforwarder.
The trickiest part of the configuration is dealing with the encrypted passwords. Splunk doesn't publicize its salt method so it's not possible to know what the encrypted passwords will be without letting Splunk do the encryption itself.
Thus it's a 3 step process:
-
Enter plain text passwords in your pillars for
splunk:password:inputs.confand forsplunk:password:outputs.conf -
salt-call state.sls splunkforwarder -
On the system you just installed Splunk onto, inspect these files:
/opt/splunkforwarder/etc/system/local/inputs.conf- copy the encrypted value of
passwordinto thesplunk:password:inputs.confpillar
- copy the encrypted value of
/opt/splunkforwarder/etc/system/local/outputs.conf- copy the encrypted value of
sslPasswordinto thesplunk:password:outputs.confpillar
- copy the encrypted value of
Now you have the encrypted value stored in your pillar instead of the plain
text. For this to work, the same splunk:secret must be shared across all machines
using these encrypted passwords.
Note: The same exact password will have 2 different encrypted values, one for inputs.conf and one for outputs.conf. Presumably the name of the file that it gets written to is part of the encryption.