Brendan Murtagh
2013-Jan-08 15:01 UTC
[Puppet Users] Splunk Module Development Recommendations
Good morning, We''ve been testing PE and beginning developing modules for our infrastructure. One of the modules I''m looking to create is an installation for Splunk, with the primary focus at this time, on the Forwarder. I already have the splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb package being fetched from the Master and also performing the installation via dpkg. I need help brainstorming/figuring out the best way to handle the rest of the installation/configuration commands. Here is the guide I was given to complete the installation for the Splunk Forwarder: *dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb* * * *source /opt/splunkforwarder/bin/setSplunkEnv * * * *splunk start* * * *splunk add forward-server 10.1.1.45:9996* * Splunk username: admin* * Password: password* * * *splunk restart* * * *splunk enable boot-start* * * *cd /data/apps/ror/pws/current/log* * * *splunk add monitor .* * * *edit /opt/splunkforwarder/etc/apps/search/local/inputs.conf* * * *Add the following lines:* * * *inputs.conf for the web servers* *[monitor:///var/log]* *disabled = false* * * *[monitor:///data/apps/ror/pws/shared/log/leads.log]* *disabled = false* *sourcetype = est_appts* * * *[monitor:///data/apps/ror/pws/shared/log/audit.log]* *disabled = false* *sourcetype = salesbooks* * * *[monitor:///data/apps/ror/pws/shared/log/production.log]* *disabled = false* *sourcetype = rails* * * *[monitor:///data/apps/ror/pws/shared/log/call_attempts.log]* *disabled = false* *sourcetype = call_attempts* * * *[monitor:///data/apps/ror/pws/shared/log/call_selection.log]* *disabled = false* *sourcetype = call_selection* I''m ok using a template/content parameter for handling the * /opt/splunkforwarder/etc/apps/search/local/inputs.conf* file. What are some of the recommended ways for handling the install steps prior to the inputs.conf edits? Thanks, Brendan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/J01GCHL_T7MJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Darin Perusich
2013-Jan-08 19:12 UTC
Re: [Puppet Users] Splunk Module Development Recommendations
I''ve broken my splunk module in splunk::client for the forwarder and splunk::server for the server. Both inherit splunk which realizes the user and group, i don''t let the splunk packages create them cuz they''re created as non-system accounts which collide with ldap accounts, and creates the init script, again modified since I don''t like the supplied one. The client also creates the deploymentclient.conf so we can push what to monitor from the splunk server. No need to add forward-server or any of that other stuff. -- Later, Darin On Tue, Jan 8, 2013 at 10:01 AM, Brendan Murtagh <brendan.r.murtagh@gmail.com> wrote:> Good morning, > > We''ve been testing PE and beginning developing modules for our > infrastructure. One of the modules I''m looking to create is an installation > for Splunk, with the primary focus at this time, on the Forwarder. I already > have the splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb package being > fetched from the Master and also performing the installation via dpkg. I > need help brainstorming/figuring out the best way to handle the rest of the > installation/configuration commands. Here is the guide I was given to > complete the installation for the Splunk Forwarder: > > dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb > > source /opt/splunkforwarder/bin/setSplunkEnv > > splunk start > > splunk add forward-server 10.1.1.45:9996 > Splunk username: admin > Password: password > > splunk restart > > splunk enable boot-start > > cd /data/apps/ror/pws/current/log > > splunk add monitor . > > edit /opt/splunkforwarder/etc/apps/search/local/inputs.conf > > Add the following lines: > > inputs.conf for the web servers > [monitor:///var/log] > disabled = false > > [monitor:///data/apps/ror/pws/shared/log/leads.log] > disabled = false > sourcetype = est_appts > > [monitor:///data/apps/ror/pws/shared/log/audit.log] > disabled = false > sourcetype = salesbooks > > [monitor:///data/apps/ror/pws/shared/log/production.log] > disabled = false > sourcetype = rails > > [monitor:///data/apps/ror/pws/shared/log/call_attempts.log] > disabled = false > sourcetype = call_attempts > > [monitor:///data/apps/ror/pws/shared/log/call_selection.log] > disabled = false > sourcetype = call_selection > > > I''m ok using a template/content parameter for handling the > /opt/splunkforwarder/etc/apps/search/local/inputs.conf file. What are some > of the recommended ways for handling the install steps prior to the > inputs.conf edits? > > Thanks, > > Brendan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/J01GCHL_T7MJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Brendan Murtagh
2013-Jan-09 13:26 UTC
Re: [Puppet Users] Splunk Module Development Recommendations
Thanks for the input Darin. I did want to question why you don''t add or have a place in code for the add forward server? Is it because its contained in templates that you reference? On Tuesday, January 8, 2013 2:12:39 PM UTC-5, Darin Perusich wrote:> > I''ve broken my splunk module in splunk::client for the forwarder and > splunk::server for the server. Both inherit splunk which realizes the > user and group, i don''t let the splunk packages create them cuz > they''re created as non-system accounts which collide with ldap > accounts, and creates the init script, again modified since I don''t > like the supplied one. The client also creates the > deploymentclient.conf so we can push what to monitor from the splunk > server. > > No need to add forward-server or any of that other stuff. > > -- > Later, > Darin > > > On Tue, Jan 8, 2013 at 10:01 AM, Brendan Murtagh > <brendan....@gmail.com <javascript:>> wrote: > > Good morning, > > > > We''ve been testing PE and beginning developing modules for our > > infrastructure. One of the modules I''m looking to create is an > installation > > for Splunk, with the primary focus at this time, on the Forwarder. I > already > > have the splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb package being > > fetched from the Master and also performing the installation via dpkg. I > > need help brainstorming/figuring out the best way to handle the rest of > the > > installation/configuration commands. Here is the guide I was given to > > complete the installation for the Splunk Forwarder: > > > > dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb > > > > source /opt/splunkforwarder/bin/setSplunkEnv > > > > splunk start > > > > splunk add forward-server 10.1.1.45:9996 > > Splunk username: admin > > Password: password > > > > splunk restart > > > > splunk enable boot-start > > > > cd /data/apps/ror/pws/current/log > > > > splunk add monitor . > > > > edit /opt/splunkforwarder/etc/apps/search/local/inputs.conf > > > > Add the following lines: > > > > inputs.conf for the web servers > > [monitor:///var/log] > > disabled = false > > > > [monitor:///data/apps/ror/pws/shared/log/leads.log] > > disabled = false > > sourcetype = est_appts > > > > [monitor:///data/apps/ror/pws/shared/log/audit.log] > > disabled = false > > sourcetype = salesbooks > > > > [monitor:///data/apps/ror/pws/shared/log/production.log] > > disabled = false > > sourcetype = rails > > > > [monitor:///data/apps/ror/pws/shared/log/call_attempts.log] > > disabled = false > > sourcetype = call_attempts > > > > [monitor:///data/apps/ror/pws/shared/log/call_selection.log] > > disabled = false > > sourcetype = call_selection > > > > > > I''m ok using a template/content parameter for handling the > > /opt/splunkforwarder/etc/apps/search/local/inputs.conf file. What are > some > > of the recommended ways for handling the install steps prior to the > > inputs.conf edits? > > > > Thanks, > > > > Brendan > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To view this discussion on the web visit > > https://groups.google.com/d/msg/puppet-users/-/J01GCHL_T7MJ. > > To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > > To unsubscribe from this group, send email to > > puppet-users...@googlegroups.com <javascript:>. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/alh_IV8At_4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Keiran Sweet
2013-Jan-09 13:47 UTC
[Puppet Users] Re: Splunk Module Development Recommendations
HI There, I''m not sure if Luke''s splunk work has hit the forge, but you may find some useful splunk/puppet examples here: http://verypowerful.info/ I know he did talk at the Sydney puppet camp last year about this topic, however i''ve not been able to locate his slides, his contact details are on the link above, so maybe its worth reaching out to see if you can get a copy. Cheers, K On Tuesday, January 8, 2013 3:01:20 PM UTC, Brendan Murtagh wrote:> > Good morning, > > We''ve been testing PE and beginning developing modules for our > infrastructure. One of the modules I''m looking to create is an installation > for Splunk, with the primary focus at this time, on the Forwarder. I > already have the splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb package > being fetched from the Master and also performing the installation via > dpkg. I need help brainstorming/figuring out the best way to handle the > rest of the installation/configuration commands. Here is the guide I was > given to complete the installation for the Splunk Forwarder: > > *dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb* > * > * > *source /opt/splunkforwarder/bin/setSplunkEnv * > * > * > *splunk start* > * > * > *splunk add forward-server 10.1.1.45:9996* > * Splunk username: admin* > * Password: password* > * > * > *splunk restart* > * > * > *splunk enable boot-start* > * > * > *cd /data/apps/ror/pws/current/log* > * > * > *splunk add monitor .* > * > * > *edit /opt/splunkforwarder/etc/apps/search/local/inputs.conf* > * > * > *Add the following lines:* > * > * > *inputs.conf for the web servers* > *[monitor:///var/log]* > *disabled = false* > * > * > *[monitor:///data/apps/ror/pws/shared/log/leads.log]* > *disabled = false* > *sourcetype = est_appts* > * > * > *[monitor:///data/apps/ror/pws/shared/log/audit.log]* > *disabled = false* > *sourcetype = salesbooks* > * > * > *[monitor:///data/apps/ror/pws/shared/log/production.log]* > *disabled = false* > *sourcetype = rails* > * > * > *[monitor:///data/apps/ror/pws/shared/log/call_attempts.log]* > *disabled = false* > *sourcetype = call_attempts* > * > * > *[monitor:///data/apps/ror/pws/shared/log/call_selection.log]* > *disabled = false* > *sourcetype = call_selection* > > > I''m ok using a template/content parameter for handling the * > /opt/splunkforwarder/etc/apps/search/local/inputs.conf* file. What are > some of the recommended ways for handling the install steps prior to the > inputs.conf edits? > > Thanks, > > Brendan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RdHLO385OtMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Brendan Murtagh
2013-Jan-09 13:55 UTC
Re: [Puppet Users] Splunk Module Development Recommendations
Hey Keiran, That''s one of my sources that I''m using as a guide when developing our module. I think some of his stuff is excessive for our infrastructure so I''m utilizing bits & pieces from his work and building around it. Thanks, Brendan On Jan 9, 2013, at 8:47 AM, Keiran Sweet <keiran@gmail.com> wrote:> HI There, > I''m not sure if Luke''s splunk work has hit the forge, but you may find some useful splunk/puppet examples here: http://verypowerful.info/ > > I know he did talk at the Sydney puppet camp last year about this topic, however i''ve not been able to locate his slides, his contact details are on the link above, so maybe its worth reaching out to see if you can get a copy. > > Cheers, > > K-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.