Vagrant - Monter un lab Splunk
Alasta 2 Août 2021 vagrant vagrant admin template automate cli splunk
Description : Monter un lab splunk avec 1 VM/box avec Vagrant
Contexte :
Pour tester from scratch une config Splunk, nous allons voir comment déployer un lab avec 1 box CentOS 7 avec l’installation du package Splunk.
Préparation de l’environnement :
$ mkdir -p ~/.my_vagrant/demoSplunk
cd ~/.my_vagrant/demoSplunkDéfinition du Vagrantfile :
# Splunk install
$splunkinstall = <<-SCRIPT
# Package installing
sudo yum localinstall /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm -y
# Setup Splunk config
sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1 --accept-license --seed-passwd changeme
sudo /opt/splunk/bin/splunk start --no-prompt
SCRIPT
Vagrant.configure("2") do |config|
config.vm.define "vm1" do |vm1|
vm1.vm.box = "centos/7"
vm1.vm.hostname = 'vm1'
vm1.vm.box_url = "centos/7"
vm1.vm.network "forwarded_port", guest: 8000, host: 8000
vm1.vm.network "forwarded_port", guest: 8089, host: 8089
vm1.vm.network "public_network", bridge: "en0: Wi-Fi (AirPort)", auto_config: false
vm1.vm.provision "file", source: "~/Downloads/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm", destination: "/vagrant/"
vm1.vm.provision "shell", inline: $splunkinstall
end
endNote :
- Il y a un forward/mapping des ports locaux 8000 et 8089 vers la box
- Une copie du RPM Splunk dans un dossier /vagrant pour l’installer via la série de commande dans splunkinstall (possibilité de juste mettre le RPM dans le dossier de travail de vagrant qui est synchronisé à la création avec le /vagrant de la box)
Déploiement :
$ vagrant up
Bringing machine 'vm1' up with 'virtualbox' provider...
==> vm1: Importing base box 'centos/7'...
==> vm1: Matching MAC address for NAT networking...
==> vm1: Checking if box 'centos/7' version '2004.01' is up to date...
==> vm1: Setting the name of the VM: demoSplunk_vm1_1627920777033_36081
==> vm1: Clearing any previously set network interfaces...
==> vm1: Preparing network interfaces based on configuration...
vm1: Adapter 1: nat
vm1: Adapter 2: bridged
==> vm1: Forwarding ports...
vm1: 8000 (guest) => 8000 (host) (adapter 1)
vm1: 8089 (guest) => 8089 (host) (adapter 1)
vm1: 22 (guest) => 2222 (host) (adapter 1)
==> vm1: Booting VM...
==> vm1: Waiting for machine to boot. This may take a few minutes...
vm1: SSH address: 127.0.0.1:2222
vm1: SSH username: vagrant
vm1: SSH auth method: private key
vm1:
vm1: Vagrant insecure key detected. Vagrant will automatically replace
vm1: this with a newly generated keypair for better security.
vm1:
vm1: Inserting generated public key within guest...
vm1: Removing insecure key from the guest if it's present...
vm1: Key inserted! Disconnecting and reconnecting using new SSH key...
==> vm1: Machine booted and ready!
==> vm1: Checking for guest additions in VM...
vm1: No guest additions were detected on the base box for this VM! Guest
vm1: additions are required for forwarded ports, shared folders, host only
vm1: networking, and more. If SSH fails on this machine, please install
vm1: the guest additions and repackage the box to continue.
vm1:
vm1: This is not an error message; everything may continue to work properly,
vm1: in which case you may ignore this message.
==> vm1: Setting hostname...
==> vm1: Rsyncing folder: /home/alasta/.my_vagrant/demoSplunk/ => /vagrant
==> vm1: Running provisioner: file...
vm1: ~/Downloads/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm => /vagrant/
==> vm1: Running provisioner: shell...
vm1: Running: inline script
vm1: Loaded plugins: fastestmirror
vm1: Examining /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm: splunk-8.0.6-152fb4b2bb96.x86_64
vm1: Marking /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm to be installed
vm1: Resolving Dependencies
vm1: --> Running transaction check
vm1: ---> Package splunk.x86_64 0:8.0.6-152fb4b2bb96 will be installed
vm1: --> Finished Dependency Resolution
vm1:
vm1: Dependencies Resolved
vm1:
vm1: ================================================================================
vm1: Package
vm1: Arch Version Repository Size
vm1: ================================================================================
vm1: Installing:
vm1: splunk
vm1: x86_64 8.0.6-152fb4b2bb96 /splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64 1.3 G
vm1:
vm1: Transaction Summary
vm1: ================================================================================
vm1: Install 1 Package
vm1:
vm1: Total size: 1.3 G
vm1: Installed size: 1.3 G
vm1: Downloading packages:
vm1: Running transaction check
vm1: Running transaction test
vm1: Transaction test succeeded
vm1: Running transaction
vm1: useradd: cannot create directory /opt/splunk
vm1: Installing : splunk-8.0.6-152fb4b2bb96.x86_64 1/1
vm1: complete
vm1: Verifying : splunk-8.0.6-152fb4b2bb96.x86_64 1/1
vm1:
vm1: Installed:
vm1: splunk.x86_64 0:8.0.6-152fb4b2bb96
vm1:
vm1: Complete!
vm1: Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
vm1: Generating RSA private key, 2048 bit long modulus
vm1: .............................................................................+++++
vm1: ..+++++
vm1: unable to write 'random state'
vm1: e is 65537 (0x10001)
vm1: writing RSA key
vm1:
vm1: Generating RSA private key, 2048 bit long modulus
vm1: ......................................................+++++
vm1: ...........................................................................+++++
vm1: unable to write 'random state'
vm1: e is 65537 (0x10001)
vm1: writing RSA key
vm1:
vm1: Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
vm1:
vm1: This appears to be your first time running this version of Splunk.
vm1: Systemd unit file installed at /etc/systemd/system/Splunkd.service.
vm1: Configured as systemd managed service.
vm1:
vm1: Splunk> All batbelt. No tights.
vm1:
vm1: Checking prerequisites...
vm1: Checking http port [8000]: open
vm1: Checking mgmt port [8089]: open
vm1: Checking appserver port [127.0.0.1:8065]: open
vm1: Checking kvstore port [8191]: open
vm1: Checking configuration... Done.
vm1: New certs have been generated in '/opt/splunk/etc/auth'.
vm1: Checking critical directories... Done
vm1: Checking indexes...
vm1: Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
vm1: Done
vm1: Creating: /opt/splunk/var/lib/splunk
vm1: Creating: /opt/splunk/var/run/splunk
vm1: Creating: /opt/splunk/var/run/splunk/appserver/i18n
vm1: Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
vm1: Creating: /opt/splunk/var/run/splunk/upload
vm1: Creating: /opt/splunk/var/run/splunk/search_telemetry
vm1: Creating: /opt/splunk/var/spool/splunk
vm1: Creating: /opt/splunk/var/spool/dirmoncache
vm1: Creating: /opt/splunk/var/lib/splunk/authDb
vm1: Creating: /opt/splunk/var/lib/splunk/hashDb
vm1: Checking filesystem compatibility... Done
vm1: Checking conf files for problems...
vm1: Done
vm1: Checking default conf files for edits...
vm1: Validating installed files against hashes from '/opt/splunk/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64-manifest'
vm1: Generating a RSA private key
vm1: ..+++++
vm1: .........................................................................+++++
vm1: unable to write 'random state'
vm1: writing new private key to 'privKeySecure.pem'
vm1: -----
vm1: Signature ok
vm1: subject=/CN=vm1/O=SplunkUser
vm1: Getting CA Private Key
vm1: unable to write 'random state'
vm1: writing RSA key
vm1: All installed files intact.
vm1: Done
vm1: All preliminary checks passed.
vm1:
vm1: Starting splunk server daemon (splunkd)...
vm1: [ OK ]
vm1: DoneTests :
Accès GUI :
Récupération de l’IP publique de la box
$ vagrant ssh
Last login: Mon Aug 2 14:37:41 2021 from 10.0.2.2
[vagrant@vm1 ~]$ ip -4 addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 85595sec preferred_lft 85595sec
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.139.29/24 brd 192.168.139.255 scope global noprefixroute dynamic eth1
valid_lft 2797sec preferred_lft 2797secL’IP publique est la 192.168.139.29 (pour connaître le mapping de carte il faut voir la configuration de l’hyperviseur).
Tester avec un navigateur :
http://
Accès management (pas utilisé par les utilisateurs/admins) :
$ openssl s_client -connect <IP-pub>:8089
CONNECTED(00000003)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
---
......On a bien une connexion fonctionnelle avec un certificat.