We deploy splunk from our own repo and then use a combination of the below
stuff to get it working: (I chopped a few custom environment bits out but
you'll get the idea from the stuff below) Obviously there's a bunch of
files and a few templates but they are almost all environment specific/the
stock files tweaked for hostnames. Hopefully this will be enough to get you
running!
================
init.pp:
================
class splunk4 {
file { "/etc/init.d/splunk":
ensure => "present",
source => "puppet:///modules/splunk4/init-splunk",
}
file { "/opt/splunk/etc/apps/unix/local/":
ensure => "directory",
require => Package["splunk"],
}
file { "/opt/splunk/etc/apps/unix/local/app.conf":
source => "puppet:///modules/splunk4/enableunix.conf",
ensure => "present",
require => [ Package["splunk"],
File["/opt/splunk/etc/apps/unix/local/"] ],
notify => Service["splunk"],
}
file { "/opt/splunk/etc/apps/unix/local/inputs.conf":
content => template("splunk4/unix.conf.erb"),
ensure => "present",
require => [ Package["splunk"],
File["/opt/splunk/etc/apps/unix/local/"] ],
notify => Service["splunk"],
}
package {
"splunk":
ensure => "present",
}
service {
"splunk":
ensure => "running",
hasrestart => "true",
require => [ Service["auditd"],
File["/opt/splunk/etc/apps/unix/local/app.conf"],
File["/etc/init.d/splunk"], ];
"auditd":
ensure => "running",
enable => "true",
hasrestart => "true",
hasstatus => "true";
}
}
define splunk4::inputs($value) {
case $ipaddress {
/^x.x.x/: {
concat::fragment{"splunk4_${name}":
target => "/opt/splunk/etc/system/local/inputs.conf",
content => "[monitor://$value]\nindex = dev\ndisabled =
false\n\n",
}
}
default: {
concat::fragment{"splunk4_${name}":
target => "/opt/splunk/etc/system/local/inputs.conf",
content => "[monitor://$value]\ndisabled = false\n\n",
}
}
}
}
==============
client.pp:
==============
class splunk4::client inherits splunk4 {
include concat::setup
$splunkpassword = "changeme"
file { "/opt/splunk/etc/apps/SplunkLightForwarder/local/":
ensure => "directory",
require => Package["splunk"],
}
file { "/opt/splunk/etc/apps/SplunkLightForwarder/local/app.conf":
source =>
"puppet:///modules/splunk4/client/enablelightforwarder.conf",
ensure => "present",
recurse => "true",
notify => Service["splunk"],
require => [ Package["splunk"],
File["/opt/splunk/etc/apps/SplunkLightForwarder/local/"] ],
}
file { "/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf":
source =>
"puppet:///modules/splunk4/client/lightforwarder-inputs.conf",
ensure => "present",
recurse => "true",
notify => Service["splunk"],
require => [ Package["splunk"],
File["/opt/splunk/etc/apps/SplunkLightForwarder/local/"] ],
}
# Override the base class splunk4 service to make sure the forwarding is
# enabled and that the list of things splunk indexes are in place.
Service["splunk"] {
require +> [
File["/opt/splunk/etc/apps/SplunkLightForwarder/local/app.conf"],
File["/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf"] ],
}
# First we setup a concat{} resource on a file, and then we immediately
# place a fragment in place that consists of some static things we wish
# to filter out of splunk. The order => 10 ensures this is placed at
# the top of the file.
concat { "/opt/splunk/etc/system/local/inputs.conf":
notify => Service["splunk"],
require => Package["splunk"],
}
concat::fragment{"filters":
target => "/opt/splunk/etc/system/local/inputs.conf",
order => "10",
source => "puppet:///modules/splunk4/client/filters-input.conf"
}
# Each call to inputs{} adds an additional fragment into the inputs.conf
# and is defined in init.pp.
splunk4::inputs{"messages":
value => "/var/log/messages",
}
splunk4::inputs{"secure":
value => "/var/log/secure",
}
splunk4::inputs{"mail":
value => "/var/log/mail",
}
splunk4::inputs{"maillog":
value => "/var/log/maillog",
}
file { "/opt/splunk/etc/system/local/outputs.conf":
ensure => "present",
source => "puppet:///modules/splunk4/client/outputs.conf",
require => Package["splunk"],
notify => Service["splunk"];
}
}
==================
server.pp
==================
class splunk4::server {
include splunk4
file {
"/data/splunk":
ensure => directory,
before => Package["splunk"];
"/opt/splunk/etc/system/local/authentication.conf":
source => "puppet:///modules/splunk4/server/authentication.conf",
ensure => "present",
notify => Service["splunk"],
require => Package["splunk"];
"/opt/splunk/etc/auth/splunk.secret":
source => "puppet:///modules/splunk4/server/splunk.secret",
ensure => "present",
notify => Service["splunk"],
require => Package["splunk"];
"/opt/splunk/etc/system/local/indexes.conf":
source => "puppet:///modules/splunk4/server/indexes.conf",
ensure => "present",
notify => Service["splunk"],
require => Package["splunk"];
"/opt/splunk/etc/splunk-launch.conf":
source => "puppet:///modules/splunk4/server/splunk-launch.conf",
ensure => "present",
notify => Service["splunk"],
require => Package["splunk"];
}
}
On Tue, Jul 13, 2010 at 6:23 AM, Matthew Macdonald-Wallace <
[email protected]> wrote:
> Hi all,
>
> We're looking at deploying Splunk using puppet - can anyone give any
> guidance on the best way to do this?
>
> We need to setup light-forwarders and an indexing service via puppet
> manifests however it looks like we're going to have to maintain a
> custom yum repo - how do other people do it?
>
> Kind regards.
>
> Matt
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<puppet-users%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
