Vagrant - Monter un lab Splunk
Alasta 2 Août 2021 vagrant vagrant admin template automate cli splunk
Description : Monter un lab splunk avec 1 VM/box avec Vagrant
Contexte :
Pour tester from scratch une config Splunk, nous allons voir comment déployer un lab avec 1 box CentOS 7 avec l'installation du package Splunk.
Préparation de l'environnement :
1 $ mkdir -p ~/.my_vagrant/demoSplunk
2 cd ~/.my_vagrant/demoSplunk
Définition du Vagrantfile :
1 # Splunk install
2 $splunkinstall = <<-SCRIPT
3 # Package installing
4 sudo yum localinstall /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm -y
5 # Setup Splunk config
6 sudo /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1 --accept-license --seed-passwd changeme
7 sudo /opt/splunk/bin/splunk start --no-prompt
8
9 SCRIPT
10
11 Vagrant.configure("2") do |config|
12 config.vm.define "vm1" do |vm1|
13 vm1.vm.box = "centos/7"
14 vm1.vm.hostname = 'vm1'
15 vm1.vm.box_url = "centos/7"
16 vm1.vm.network "forwarded_port", guest: 8000, host: 8000
17 vm1.vm.network "forwarded_port", guest: 8089, host: 8089
18 vm1.vm.network "public_network", bridge: "en0: Wi-Fi (AirPort)", auto_config: false
19 vm1.vm.provision "file", source: "~/Downloads/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm", destination: "/vagrant/"
20 vm1.vm.provision "shell", inline: $splunkinstall
21 end
22 end
Note :
- Il y a un forward/mapping des ports locaux 8000 et 8089 vers la box
- Une copie du RPM Splunk dans un dossier /vagrant pour l'installer via la série de commande dans splunkinstall (possibilité de juste mettre le RPM dans le dossier de travail de vagrant qui est synchronisé à la création avec le /vagrant de la box)
Déploiement :
1 $ vagrant up
2 Bringing machine 'vm1' up with 'virtualbox' provider...
3 ==> vm1: Importing base box 'centos/7'...
4 ==> vm1: Matching MAC address for NAT networking...
5 ==> vm1: Checking if box 'centos/7' version '2004.01' is up to date...
6 ==> vm1: Setting the name of the VM: demoSplunk_vm1_1627920777033_36081
7 ==> vm1: Clearing any previously set network interfaces...
8 ==> vm1: Preparing network interfaces based on configuration...
9 vm1: Adapter 1: nat
10 vm1: Adapter 2: bridged
11 ==> vm1: Forwarding ports...
12 vm1: 8000 (guest) => 8000 (host) (adapter 1)
13 vm1: 8089 (guest) => 8089 (host) (adapter 1)
14 vm1: 22 (guest) => 2222 (host) (adapter 1)
15 ==> vm1: Booting VM...
16 ==> vm1: Waiting for machine to boot. This may take a few minutes...
17 vm1: SSH address: 127.0.0.1:2222
18 vm1: SSH username: vagrant
19 vm1: SSH auth method: private key
20 vm1:
21 vm1: Vagrant insecure key detected. Vagrant will automatically replace
22 vm1: this with a newly generated keypair for better security.
23 vm1:
24 vm1: Inserting generated public key within guest...
25 vm1: Removing insecure key from the guest if it's present...
26 vm1: Key inserted! Disconnecting and reconnecting using new SSH key...
27 ==> vm1: Machine booted and ready!
28 ==> vm1: Checking for guest additions in VM...
29 vm1: No guest additions were detected on the base box for this VM! Guest
30 vm1: additions are required for forwarded ports, shared folders, host only
31 vm1: networking, and more. If SSH fails on this machine, please install
32 vm1: the guest additions and repackage the box to continue.
33 vm1:
34 vm1: This is not an error message; everything may continue to work properly,
35 vm1: in which case you may ignore this message.
36 ==> vm1: Setting hostname...
37 ==> vm1: Rsyncing folder: /home/alasta/.my_vagrant/demoSplunk/ => /vagrant
38 ==> vm1: Running provisioner: file...
39 vm1: ~/Downloads/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm => /vagrant/
40 ==> vm1: Running provisioner: shell...
41 vm1: Running: inline script
42 vm1: Loaded plugins: fastestmirror
43 vm1: Examining /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm: splunk-8.0.6-152fb4b2bb96.x86_64
44 vm1: Marking /vagrant/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm to be installed
45 vm1: Resolving Dependencies
46 vm1: --> Running transaction check
47 vm1: ---> Package splunk.x86_64 0:8.0.6-152fb4b2bb96 will be installed
48 vm1: --> Finished Dependency Resolution
49 vm1:
50 vm1: Dependencies Resolved
51 vm1:
52 vm1: ================================================================================
53 vm1: Package
54 vm1: Arch Version Repository Size
55 vm1: ================================================================================
56 vm1: Installing:
57 vm1: splunk
58 vm1: x86_64 8.0.6-152fb4b2bb96 /splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64 1.3 G
59 vm1:
60 vm1: Transaction Summary
61 vm1: ================================================================================
62 vm1: Install 1 Package
63 vm1:
64 vm1: Total size: 1.3 G
65 vm1: Installed size: 1.3 G
66 vm1: Downloading packages:
67 vm1: Running transaction check
68 vm1: Running transaction test
69 vm1: Transaction test succeeded
70 vm1: Running transaction
71 vm1: useradd: cannot create directory /opt/splunk
72 vm1: Installing : splunk-8.0.6-152fb4b2bb96.x86_64 1/1
73 vm1: complete
74 vm1: Verifying : splunk-8.0.6-152fb4b2bb96.x86_64 1/1
75 vm1:
76 vm1: Installed:
77 vm1: splunk.x86_64 0:8.0.6-152fb4b2bb96
78 vm1:
79 vm1: Complete!
80 vm1: Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
81 vm1: Generating RSA private key, 2048 bit long modulus
82 vm1: .............................................................................+++++
83 vm1: ..+++++
84 vm1: unable to write 'random state'
85 vm1: e is 65537 (0x10001)
86 vm1: writing RSA key
87 vm1:
88 vm1: Generating RSA private key, 2048 bit long modulus
89 vm1: ......................................................+++++
90 vm1: ...........................................................................+++++
91 vm1: unable to write 'random state'
92 vm1: e is 65537 (0x10001)
93 vm1: writing RSA key
94 vm1:
95 vm1: Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
96 vm1:
97 vm1: This appears to be your first time running this version of Splunk.
98 vm1: Systemd unit file installed at /etc/systemd/system/Splunkd.service.
99 vm1: Configured as systemd managed service.
100 vm1:
101 vm1: Splunk> All batbelt. No tights.
102 vm1:
103 vm1: Checking prerequisites...
104 vm1: Checking http port [8000]: open
105 vm1: Checking mgmt port [8089]: open
106 vm1: Checking appserver port [127.0.0.1:8065]: open
107 vm1: Checking kvstore port [8191]: open
108 vm1: Checking configuration... Done.
109 vm1: New certs have been generated in '/opt/splunk/etc/auth'.
110 vm1: Checking critical directories... Done
111 vm1: Checking indexes...
112 vm1: Validated: audit internal introspection metrics metrics_rollup telemetry _thefishbucket history main summary
113 vm1: Done
114 vm1: Creating: /opt/splunk/var/lib/splunk
115 vm1: Creating: /opt/splunk/var/run/splunk
116 vm1: Creating: /opt/splunk/var/run/splunk/appserver/i18n
117 vm1: Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
118 vm1: Creating: /opt/splunk/var/run/splunk/upload
119 vm1: Creating: /opt/splunk/var/run/splunk/search_telemetry
120 vm1: Creating: /opt/splunk/var/spool/splunk
121 vm1: Creating: /opt/splunk/var/spool/dirmoncache
122 vm1: Creating: /opt/splunk/var/lib/splunk/authDb
123 vm1: Creating: /opt/splunk/var/lib/splunk/hashDb
124 vm1: Checking filesystem compatibility... Done
125 vm1: Checking conf files for problems...
126 vm1: Done
127 vm1: Checking default conf files for edits...
128 vm1: Validating installed files against hashes from '/opt/splunk/splunk-8.0.6-152fb4b2bb96-linux-2.6-x86_64-manifest'
129 vm1: Generating a RSA private key
130 vm1: ..+++++
131 vm1: .........................................................................+++++
132 vm1: unable to write 'random state'
133 vm1: writing new private key to 'privKeySecure.pem'
134 vm1: -----
135 vm1: Signature ok
136 vm1: subject=/CN=vm1/O=SplunkUser
137 vm1: Getting CA Private Key
138 vm1: unable to write 'random state'
139 vm1: writing RSA key
140 vm1: All installed files intact.
141 vm1: Done
142 vm1: All preliminary checks passed.
143 vm1:
144 vm1: Starting splunk server daemon (splunkd)...
145 vm1: [ OK ]
146 vm1: Done
Tests :
Accès GUI :
Récupération de l'IP publique de la box
1 $ vagrant ssh
2 Last login: Mon Aug 2 14:37:41 2021 from 10.0.2.2
3 [vagrant@vm1 ~]$ ip -4 addr sh
4 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
5 inet 127.0.0.1/8 scope host lo
6 valid_lft forever preferred_lft forever
7 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
8 inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
9 valid_lft 85595sec preferred_lft 85595sec
10 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
11 inet 192.168.139.29/24 brd 192.168.139.255 scope global noprefixroute dynamic eth1
12 valid_lft 2797sec preferred_lft 2797sec
L'IP publique est la 192.168.139.29 (pour connaître le mapping de carte il faut voir la configuration de l'hyperviseur).
Tester avec un navigateur :
http://
Avec le compte admin et le mot de passe changeme.
Accès management (pas utilisé par les utilisateurs/admins) :
1 $ openssl s_client -connect <IP-pub>:8089
2 CONNECTED(00000003)
3 depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
4 verify error:num=19:self signed certificate in certificate chain
5 verify return:0
6 ---
7 Certificate chain
8 0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
9 i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
10 1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
11 i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
12 ---
13 ......
On a bien une connexion fonctionnelle avec un certificat.