You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

313 lines
8.8 KiB

7 months ago
## Examples
The purpose of this section is to showcase a wide variety of examples on how `splunk-ansible` can be used. Please use the files and content here as simple references designs for implementing and getting immediate value out of the playbooks in this repository.
From a design perspective, the plays within `splunk-ansible` are meant to be run locally on each instance of your intended Splunk deployment. The execution flow of the provisioning process is meant to gracefully handle interoperability in this manner, while also maintaining idempotency and configuration management. It is also possible to use these plays against a remote instance, although that is not the intended use case so it might not work in all cases.
----
## I want to...
* [Provision localhost as a standalone Splunk](#provision-local-standalone)
* [Enable a user-defined HEC token](#provision-hec)
* [Access SplunkWeb behind a reverse proxy](#enable-reverse-proxy)
* [Use a dynamic inventory](#provision-with-dynamic-inventory)
* [Provision Docker containers with splunk-ansible](#provision-docker-containers)
---
## Provision local standalone
<details><summary markdown='span'><code>hosts</code> file inventory</summary><p></p>
```
localhost ansible_connection=local
```
</details><p></p>
<details><summary markdown='span'><code>default.yml</code></summary><p></p>
```yaml
---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
headers: null
var: SPLUNK_DEFAULTS_URL
verify: true
host:
headers: null
url: null
verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
admin_user: admin
app_paths:
default: /opt/splunk/etc/apps
deployment: /opt/splunk/etc/deployment-apps
httpinput: /opt/splunk/etc/apps/splunk_httpinput
idxc: /opt/splunk/etc/master-apps
shc: /opt/splunk/etc/shcluster/apps
enable_service: false
exec: /opt/splunk/bin/splunk
group: splunk
hec:
enable: True
ssl: True
token: null
port: 8088
home: /opt/splunk
http_enableSSL: 0
http_enableSSL_cert: null
http_enableSSL_privKey: null
http_enableSSL_privKey_password: null
http_port: 8000
idxc:
label: idxc_label
replication_factor: 3
replication_port: 9887
search_factor: 3
secret: null
pass4SymmKey: null
ignore_license: false
license_download_dest: /tmp/splunk.lic
opt: /opt
password: helloworld
pid: /opt/splunk/var/run/splunk/splunkd.pid
s2s_enable: true
s2s_port: 9997
search_head_cluster_url: null
secret: null
pass4SymmKey: null
shc:
label: shc_label
replication_factor: 3
replication_port: 9887
secret: null
pass4SymmKey: null
smartstore: null
svc_port: 8089
tar_dir: splunk
user: splunk
wildcard_license: false
splunk_home_ownership_enforcement: true
```
</details><p></p>
Execution command:
```
ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"
```
---
## Provision HEC
The HTTP Event Collector (HEC) enables sending data directly to Splunk via a HTTP endpoint and a token. Here's how you can enable it with a user-defined token (`abcd-1234-efgh-5678`).
<details><summary markdown='span'><code>hosts</code> file inventory</summary><p></p>
```
localhost ansible_connection=local
```
</details><p></p>
<details><summary markdown='span'><code>default.yml</code></summary><p></p>
```yaml
---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
headers: null
var: SPLUNK_DEFAULTS_URL
verify: true
host:
headers: null
url: null
verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
admin_user: admin
app_paths:
default: /opt/splunk/etc/apps
deployment: /opt/splunk/etc/deployment-apps
httpinput: /opt/splunk/etc/apps/splunk_httpinput
idxc: /opt/splunk/etc/master-apps
shc: /opt/splunk/etc/shcluster/apps
enable_service: false
exec: /opt/splunk/bin/splunk
group: splunk
hec:
enable: True
ssl: True
token: abcd-1234-efgh-5678
port: 8088
home: /opt/splunk
http_enableSSL: 0
http_enableSSL_cert: null
http_enableSSL_privKey: null
http_enableSSL_privKey_password: null
http_port: 8000
idxc:
label: idxc_label
replication_factor: 3
replication_port: 9887
search_factor: 3
secret: null
ignore_license: false
license_download_dest: /tmp/splunk.lic
opt: /opt
password: helloworld
pid: /opt/splunk/var/run/splunk/splunkd.pid
s2s_enable: true
s2s_port: 9997
search_head_cluster_url: null
secret: null
shc:
label: shc_label
replication_factor: 3
replication_port: 9887
secret: null
smartstore: null
svc_port: 8089
tar_dir: splunk
user: splunk
wildcard_license: false
splunk_home_ownership_enforcement: true
```
</details><p></p>
Execution command:
```
ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"
```
For this case, the `splunk.hec.ssl` parameter will govern whether the HEC endpoint will be reachable over HTTP or HTTPS.
---
## Enable Reverse Proxy
A reverse proxy can be used to access Splunk through some ingress controller resource or behind a load-balancer within your corporate firewall policy. Here's how you can enable SplunkWeb to run behind a prefix route such as `/splunkweb`.
<details><summary markdown='span'><code>default.yml</code></summary><p></p>
```yaml
---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
headers: null
var: SPLUNK_DEFAULTS_URL
verify: true
host:
headers: null
url: null
verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
root_endpoint: /splunkweb
admin_user: admin
app_paths:
default: /opt/splunk/etc/apps
deployment: /opt/splunk/etc/deployment-apps
httpinput: /opt/splunk/etc/apps/splunk_httpinput
idxc: /opt/splunk/etc/master-apps
shc: /opt/splunk/etc/shcluster/apps
enable_service: false
exec: /opt/splunk/bin/splunk
group: splunk
hec:
enable: True
ssl: True
token: abcd-1234-efgh-5678
port: 8088
home: /opt/splunk
http_enableSSL: 0
http_enableSSL_cert: null
http_enableSSL_privKey: null
http_enableSSL_privKey_password: null
http_port: 8000
idxc:
label: idxc_label
replication_factor: 3
replication_port: 9887
search_factor: 3
secret: null
ignore_license: false
license_download_dest: /tmp/splunk.lic
opt: /opt
password: helloworld
pid: /opt/splunk/var/run/splunk/splunkd.pid
s2s_enable: true
s2s_port: 9997
search_head_cluster_url: null
secret: null
shc:
label: shc_label
replication_factor: 3
replication_port: 9887
secret: null
smartstore: null
svc_port: 8089
tar_dir: splunk
user: splunk
wildcard_license: false
splunk_home_ownership_enforcement: true
```
</details><p></p>
Execution command:
```
ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"
```
After the command runs, you can access SplunkWeb at <http://localhost:8000/splunkweb>.
---
## Provision with Dynamic Inventory
Ansible enables the use of custom inventory scripts. For more information on how to do this and how to create your own inventory script, please go to Ansible's documentation on dynamic inventories.
This codebase includes an example of this, located at `inventory/environ.py`. This script is meant for local connection use and is the primary driver in making the official Splunk Docker image successful. The `environ.py` converts environment variables into Ansible variables dynamically so there's no need for the `default.yml` from previous examples. However, in some cases, the `default.yml` is still necessary in order to consolidate state across multiple instances of a distributed deployment.
Execution command:
```
ansible-playbook --inventory inventory/environ.py --connection local site.yml
```
---
## Provision Docker Containers
The playbooks in this repository are already being used in the context of containers! For more information on how this works, please see the [docker-splunk](https://github.com/splunk/docker-splunk/) project and learn how `splunk-ansible` is incorporated.
---

Powered by BW's shoe-string budget.