sous-chefs / chef-splunk Goto Github PK

View Code? Open in Web Editor NEW

75.0 31.0 122.0 1.13 MB

Development repository for the chef-splunk cookbook

Home Page: https://supermarket.chef.io/cookbooks/chef-splunk

License: Apache License 2.0

Ruby 98.65% HTML 1.35%

chef hacktoberfest chef-cookbook chef-resource chef-splunk managed-by-terraform

chef-splunk's Introduction

chef-splunk Cookbook

This cookbook manages a Splunk Universal Forwarder (client) or a Splunk Enterprise (server) installation, including a Splunk clustered environment.

The Splunk default user is admin and the password is changeme. See the setup_auth recipe below for more information about how to manage changing the password with Chef and Chef Vault.

This recipe downloads packages from Splunk directly. There are attributes to set a URL to retrieve the packages, so if the packages are mirrored locally, supply the local URL instead. At this time the cookbook doesn't support installing from networked package managers (like apt or yum), since Splunk doesn't provide package repositories.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Chef 15.5 or newer

License Acceptance

In the past, it was sufficient to set the node['splunk']['accept_license'] attribute either in a wrapper cookbook, role, or chef environment, and the recipes in this cookbook would enable and run the splunk service with --accept-license. Starting with version 3.0.0, this attribute must be set to boolean true. A value resulting in anything other than boolean true will be considered as not accepting the Splunk EULA.

For example, these will not accept the Splunk license:

node['splunk']['accept_license'] = false
node['splunk'] = { 'accept_license' => nil }
node['splunk']['accept_license'] = ''
node['splunk']['accept_license'] = 'true'

Only this will accept the license:

node['splunk']['accept_license'] = true

Platforms

This cookbook uses Test Kitchen to do cross-platform convergence and post-convergence tests. The tested platforms are considered supported. This cookbook may work on other platforms or platform versions with or without modification.

Debian 9, 10
Ubuntu 18.04, 20.04
CentOS 7, 8
Redhat 7, 8
openSUSE Leap 15

By default, only 64-bit Splunk server and Splunk Universal Forwarder will be installed or upgraded by this cookbook.

Debug Mode

Since the splunk command requires authentication, many execute resources in this cookbook have STDOUT/STDERR suppressed (i.e., sensitive true). However, this setting can hide important diagnostic messages during a failed chef run when Chef Infra Client is run in normal logging levels, such as :info or :auto. In order to disable this suppression, Chef Infra Client must be run with :debug logging level (i.e., chef-client -l debug). Beware: Running Chef Infra Client this way can persist sensitive information, such as your Splunk admin user credentials, in the chef client log, and pose a security risk. Do not leave this setting enabled on critical systems

Cookbooks

Used for managing secrets, see Usage:

chef-vault, ~> 4.0

😄 Note: Using chef-vault is optional, but is a dependency for this cookbook. Please see the section Chef-Vault encrypted data bag fallback for an alternative method to manage Splunk secrets with standard encrypted data bags.

Attributes

Attributes have default values set in attributes/default.rb. Where possible or appropriate, the default values from Splunk Enterprise are used.

General attributes:

node['splunk']['accept_license']: Whether to accept the Splunk EULA. Default is false. This -must- be set to boolean true for Splunk to be functional with this cookbook, which means end users must read the EULA and agree to the terms.
node['splunk']['is_server']: Set this to true if the node is a splunk server, for example in a role (Default: false)
node['splunk']['data_bag']: Set this to the name of the data bag where your splunk auth and other secrets are stored (Default: vault)
node['splunk']['disabled']: Disable the splunk agent by setting this to true (Default: false) and adding recipe[chef-splunk::disabled] to a node's run list
node['splunk']['receiver_port']: The port that the receiver (server) listens to. This is set to the Splunk Enterprise default, 9997.
node['splunk']['mgmt_port']: The port that splunkd service listens to, aka the management port. This is set to the Splunk Enterprise default, 8089.
node['splunk']['web_port']: The port that the splunkweb service listens to. This is set to the default for HTTPS, 443, as it is configured by the setup_ssl recipe.
node['splunk']['ratelimit_kilobytessec']: The default splunk rate limiting rate can now easily be changed with an attribute. Default is 2048KBytes/sec.

The two URL attributes below are selected by platform and architecture by default.

node['splunk']['forwarder']['url']: The URL to the Splunk Universal Forwarder package file.
node['splunk']['server']['url']: The URL to the Splunk Enterprise package file.
node['splunk']['forwarder']['version']: specifies the splunk universal forwarder version to install. This is ignored if forwarder URL is provided. (Default: 8.0.1)
node['splunk']['server']['version']: specifies the splunk server version to install. This is ignored if server URL is provided. (Default: 8.0.1)
Set these attributes to nil or empty string '' to force installing the packages from the OS package managers. In doing so, server owners are responsible for properly configuring their package manager so chef can install the package.

For example, each line below will force the chef-client to install Splunk's Universal Forwarder and server from the local package manager:
```
node.force_default['splunk']['forwarder']['url'] = ''
node.force_default['splunk']['server']['url'] = ''
node.force_default['splunk']['forwarder']['url'] = nil
node.force_default['splunk']['server']['url'] = nil
```

Special attributes for managing the Splunk user:

node['splunk']['user']: A hash of attributes to set for the splunk user resource in the user recipe. It's unlikely that someone would need to change these, other than the UID, but just in case...
username: the username
comment: gecos field
home: the home directory, defaults to /opt/splunkforwarder, will be set to /opt/splunk if node['splunk']['is_server'] is true.
shell: the shell to use
uid: the numeric UID. The default, 396 is an integer arbitrarily chosen and doesn't conflict with anything on the supported platforms (see list above). It is within the system UID range on Linux systems.
node['splunk']['server']['runasroot']: if runasroot is true (which is the splunk upstream package default) then the splunk server runs as root. If runasroot is false modify the init script to run as the node['splunk']['user']. This does not apply to the splunk client as they may need root permissions to read logfiles. NOTE1: you may also need to change node['splunk']['web_port'] on a splunk server to run on a port >1024 if you don't run as root (splunk user cannot bind to privelaged ports). NOTE2: If you want to switch from root to the splunk user or vice versa on an existing install, please stop the splunk service first before changing the runasroot boolean value.

The following attributes are related to setting up splunkweb with SSL in the setup_ssl recipe.

node['splunk']['ssl_options']: A hash of SSL options used in the setup_ssl recipe
node['splunk']['ssl_options']['enable_ssl']: Whether to enable SSL, must be set to true to use the setup_ssl recipe. Defaults to false, must be set using a boolean literal true or false.
node['splunk']['ssl_options']['data_bag']: The data bag name to load, defaults to vault (as chef-vault is used).
node['splunk']['ssl_options']['data_bag_item']: The data bag item name that contains the keyfile and crtfile, defaults to splunk_certificates.
node['splunk']['ssl_options']['keyfile']: The name of the SSL key file, and the content will be written to etc/auth/splunkweb/KEYFILE. Must be an element under data in the data bag item. See Usage for instructions. Defaults to 'self-signed.example.com.key', and should be changed to something relevant for the local site before use, in a role or wrapper cookbook.
node['splunk']['ssl_options']['crtfile']: The name of the SSL cert (crt) file, and the content will be written to /etc/auth/splunkweb/CRTFILE. Must be an element under data in the data bag item. See Usage for instructions. Defaults to 'self-signed.example.com.crt', and should be changed to something relevant for the local site before use, in a role or wrapper cookbook.

The following attributes are related to setting up a Splunk server with indexer clustering in the setup_clustering recipe:

node['splunk']['clustering']: A hash of indexer clustering configurations used in the setup_clustering recipe
node['splunk']['clustering']['enabled']: Whether to enable indexer clustering, must be set to true to use the setup_clustering recipe. Defaults to false, must be a boolean literal true or false.
node['splunk']['clustering']['num_sites']: The number of sites in the cluster. Multisite is enabled automatically if num_sites > 1. Defaults to 1, must be a positive integer.
node['splunk']['clustering']['mode']: The clustering mode of the node within the indexer cluster. Must be set using string literal 'master', 'slave', or 'searchhead'.
node['splunk']['clustering']['replication_port']: The replication port of the cluster peer member. Only valid when node['splunk']['clustering']['mode']='slave'. Defaults to 9887.
[node['splunk']['clustering']['mgmt_uri']](Default: https://fqdn:8089) This attribute is for the indexer cluster members and cluster master. The cluster master will set this node attribute to itself, while all cluster members will perform a chef search to get the value from the cluster master's node data.
For single-site clustering (node['splunk']['clustering']['num_sites'] = 1):
- node['splunk']['clustering']['replication_factor']: The replication factor of the indexer cluster. Defaults to 3, must be a positive integer. Only valid when node['splunk']['clustering']['mode']='master' and node['splunk']['clustering']['num_sites']=1 (single-site clustering).
- node['splunk']['clustering']['search_factor']: The search factor of the indexer cluster. Only valid when node['splunk']['clustering']['mode']='master' and node['splunk']['clustering']['num_sites']=1 (single-site clustering). Defaults to 2, must be a positive integer.
For multisite clustering (node['splunk']['clustering']['num_sites'] > 1):
- node['splunk']['clustering']['site']: The site the node belongs to. Valid values include site1 to site63
- node['splunk']['clustering']['site_replication_factor']: The per-site replication policy of any given bucket. This is represented as a comma-separated list of per-site entries. Only valid when node['splunk']['clustering']['mode']='master' and multisite is true. Defaults to 'origin:2,total:3'. Refer to Splunk Admin docs for exact syntax and more details.
- node['splunk']['clustering']['site_search_factor']: The per-site search policy for searchable copies for any given bucket. This is represented as a comma-separated list of per-site entires. Only valid when node['splunk']['clustering']['mode']='master' and multisite is true. Defaults to 'origin:1,total:2'. Refer to Splunk Admin docs for exact syntax and more details.

The following attributes are related to setting up a Splunk server with search head clustering in the setup_shclustering recipe:

node['splunk']['shclustering']: A hash of search head clustering configurations used in the setup_shclustering recipe
node['splunk']['shclustering']['app_dir']: the path where search head clustering configuration will be installed (Default: /opt/splunk/etc/apps/0_autogen_shcluster_config)
node['splunk']['shclustering']['enabled']: Whether to enable search head clustering, must be set to true to use the setup_shclustering recipe. Defaults to false, must be a boolean literal true or false.
node['splunk']['shclustering']['mode']: The search head clustering mode of the node within the cluster. This is used to determine if the node needs to bootstrap the shcluster and initialize the node as the captain. Must be set using string literal 'member' or 'captain'.
node['splunk']['shclustering']['label']: The label for the shcluster. Used to differentiate from other shclusters in the environment. Must be a string. Defaults to shcluster1. captain election. Must be set using string literal 'member' or 'captain'.
node['splunk']['shclustering']['replication_factor']: The replication factor of the shcluster. Defaults to 3, must be a positive integer.
node['splunk']['shclustering']['replication_port']: The replication port of the shcluster members. Defaults to 9900.
node['splunk']['shclustering']['deployer_url']: The management url for the shcluster deployer server, must be set to a string such as: https://deployer.domain.tld:8089. This attribute is optional. Defaults to empty.
node['splunk']['shclustering']['mgmt_uri']: The management url for the shcluster member node, must be set to a string such as: https://shx.domain.tld:8089. You can use the node's IP address instead of the FQDN if desired. Defaults to https://#{node['fqdn']}:8089.
node['splunk']['shclustering']['shcluster_members']: An array of all search head cluster members referenced by their mgmt_uri. Currently this will do a Chef search for nodes that are in the same environment, with search head clustering enabled, and with the same cluster label. Alternatively, this can be hard-coded with a list of all shcluster members including the current node. Must be an array of strings. Defaults to an empty array.

The following attributes are related to setting up a splunk forwarder with the client recipe

node['splunk']['outputs_conf'] is a hash of configuration values that are used to dynamically populate the outputs.conf file's "tcpout:splunk_indexers_PORT" configuration section. Each key/value pair in the hash is used as configuration in the file. For example the attributes/default.rb has this:

default['splunk']['outputs_conf'] = {
  'forwardedindex.0.whitelist' => '.*',
  'forwardedindex.1.blacklist' => '_.*',
  'forwardedindex.2.whitelist' => '_audit',
  'forwardedindex.filter.disable' => 'false'
}

This will result in the following being rendered in outputs.conf:

[tcpout:splunk_indexers_9997]
server=10.0.2.47:9997
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false

As an example of outputs_conf attribute usage, to add an sslCertPath directive, define the attribute in your role or wrapper cookbook as such:

node.default['splunk']['outputs_conf']['sslCertPath'] = '$SPLUNK_HOME/etc/certs/cert.pem'

The server attribute in tcpout:splunk_indexers_9997 stanza above is populated by default from Chef search results for Splunk servers, or, alternatively, is statically defined in node attribute node['splunk']['server_list'].

node['splunk']['server_list'] is an optional comma-separated listed of server IPs and the ports. It's only applicable when there are no Splunk servers managed by Chef, e.g. sending data to Splunk Cloud which has managed indexers.

For example:

node.default['splunk']['server_list'] = '10.0.2.47:9997, 10.0.2.49:9997'

node['splunk']['inputs_conf'] is a hash of configuration values that are used to populate the inputs.conf file.

node['splunk']['inputs_conf']['host']: A string that specifies the default host name used in the inputs.conf file. The inputs.conf file is not overwritten if this is not set or is an empty string.
node['splunk']['inputs_conf']['ports']: An array of hashes that contain the input port configuration necessary to generate the inputs.conf file.
node['splunk']['inputs_conf']['inputs']: An array of hashes that contain the input configuration necessary to generate the inputs.conf file. This attribute supports all input types.

For example:

node.default['splunk']['inputs_conf']['ports'] = [
  {
    port_num => 123123,
    config => {
      'sourcetype' => 'syslog'
    }
  }
]

node.default['splunk']['inputs_conf']['inputs'] = [
  {
    input_path => 'monitor:///var/log/syslog',
    config => {
      'sourcetype' => 'syslog'
    }
  }
]

The following attributes are related to upgrades in the upgrade recipe. Note The default upgrade version is set to 7.3.2 and should be modified to suit in a role or wrapper, since we don't know what upgrade versions may be relevant. Enabling the upgrade and blindly using the default URLs may have undesirable consequences, hence this is not enabled, and must be set explicitly elsewhere on the node(s).

node['splunk']['upgrade_enabled']: Controls whether the upgrade is enabled and the attributes/upgrade.rb file should be loaded. Set this in a role or wrapper cookbook to perform an upgrade.
node['splunk']['server']['upgrade']['url']: This is the URL to the desired server upgrade package only if upgrade_enabled is set.
node['splunk']['server']['upgrade']['version']: specifies the target splunk server version for an upgrade. This is ignored if server upgrade URL is provided. (Default: 8.0.1)
node['splunk']['forwarder']['upgrade']['url']: This is the URL to the desired forwarder upgrade package only if upgrade_enabled is set.
node['splunk']['forwarder']['upgrade']['version']: specifies the target splunk universal forwarder version for an upgrade. This is ignored if forwarder upgrade URL is provided. (Default: 8.0.1)
All URLs set in attributes must be direct download links and not redirects
Set these attributes to nil or empty string '' to force installing the packages from the OS package managers. In doing so, server owners are responsible for properly configuring their package manager so chef can install the package.

For example, each line below will force the chef-client to install Splunk's Universal Forwarder and server from the local package manager:
```
node.force_default['splunk']['forwarder']['upgrade']['url'] = ''
node.force_default['splunk']['server']['upgrade']['url'] = ''
node.force_default['splunk']['forwarder']['upgrade']['url'] = nil
node.force_default['splunk']['server']['upgrade']['url'] = nil
```

Helper methods

splunk_cmd

When wrapping this cookbook, it is often beneficial to run Splunk Enterprise or Universal Forwarder as a non-root user. This is, in fact, a security recommendation to run Splunk as a non-root user. To this end, #splunk_cmd will return the properly constructed command to run a Splunk CLI command with arguments.

Example:

execute 'set servername' do
  command splunk_cmd(['set', 'servername', node.name, '-auth', node.run_state['splunk_auth_info'])
  sensitive true
  notifies :restart, 'service[splunk]'
end

another way that will result in the same command:

execute 'set servername' do
  command splunk_cmd("set servname #{node.name} -auth '#{node.run_state['splunk_auth_info']}'")
  sensitive true
  notifies :restart, 'service[splunk]'
end

Custom Resources

splunk_app

This resource will install a Splunk app or deployment app into the appropriate locations on a Splunk Enterprise server. Some custom "apps" simply install with a few files to override default Splunk settings. The latter is desirable for maintaining settings after an upgrade of the Splunk Enterprise server software.

Breaking Change As of v6.0.0, sub-resources of the splunk_app provider will no longer notify restarts to the service[splunk] resource. Restarts of the service must be handled explicitly by the splunk_app caller. This allows end-users of the resource more control of when splunkd gets restarted; especially in cases where an app does not require a restart when its files are updated.

Actions

:install: Installs a Splunk app or deployment app. This action will also update existing app config files, as needed
:remove: Completely removes a Splunk app or deployment app from the Splunk Enterprise server

Properties

TODO: document the rest of the splunk_app properties

app_dir: Specifies the application's installation path. Apps installed with this property will be done relative to the Splunk installation directory (Default: /opt/splunk).
local_file: specifies a local path where an app will be sourced. This will not download an app from a remote source, as it assumes the file or bundle has been done so outside of this resource. With so many ways to "unpack" a compressed bundle file (e.g., tar.gz, zip, bz2), this feature will not attempt to support any/all of the possibilities. In contrast, this feature will support installing an app from any local source on the chef node and into the /opt/splunk/etc/apps directory, unless otherwise specified by the app_dir property.
templates: This is either an array of template names or a Hash consisting of a target destination path and template names For example: ['server.conf.erb'] or { 'etc/deployment-apps' => 'server.conf.erb' }.
template_variables: This is a Hash with embedded Hash to specify variables that can be passed into the templates keyed by the name of the template, matching the template names in templates property above. The format of this Hash is such that a default Hash can specify variables/values passed to all templates or it can specify different variables/values for any and all templates.

For example, this will pass the default Hash of variables/values into all of the templates, but the foo.erb template will be fed a unique Hash of variables/values.
```
splunk_app 'my app' do
  templates %w(foo.erb bar.erb server.conf.erb app.conf.erb outputs.conf.erb)
  template_variables {
    {
      'default' => { 'var1' => 'value1', 'var2' => 'value2' },
      'foo.erb' => { 'x' => 'snowflake template' }
    }
  }
end
```

Examples

Install and enable a deployment client configuration that overrides default Splunk Enterprise configurations

Given a wrapper cookbook called MyDeploymentClientBase with a folder structure as below:

MyDeploymentClientBase
    /templates
        /MyDeploymentClientBase
            deploymentclient.conf.erb

splunk_auth_info = data_bag_item('vault', "splunk_#{node.chef_environment}")['auth']

splunk_app 'MyDeploymentClientBase' do
  splunk_auth splunk_auth_info
  templates ['deploymentclient.conf.erb']
  cookbook 'MyDeploymentClientBase'
  action %i(install enable)
end

The Splunk Enterprise server will have a filesystem created, as follows:

/opt/splunk/etc/apps/MyDeploymentClientBase/local/deploymentclient.conf

splunk_index

This resource helps manage Splunk indexes that are defined in an indexes.conf file in a "chef way" using standard Chef DSL vernacular. For information and specifications about Splunk indexes, please review and understand https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf.

Upon convergence, this resource will add a new stanza to the indexes.conf file, as needed, and modify or add new lines to the section based on properties given to the resource. If the current stanza in the indexes.conf file has any extra lines that are not listed as a valid property in this resource, those lines are automatically removed.

Actions

:create - Installs or updates a monitor:// stanza into the inputs.conf file
:remove - Removes a stanza from the inputs.conf file

Properties

index_name - this is the String naming each Splunk index. The resource will verify that the name of the index satisifies Splunk's naming requirements, which are below:

User-defined index names must consist of only numbers, lowercase letters, underscores, and hyphens. They cannot begin with an underscore or hyphen, or contain the word "kvstore".
indexes_conf_path - this is the target path and filename to the indexes.conf
backup - similar to the backup property of other file/template resources in chef, this specifies a number of backup files to retain or false to disable (Default: 5)
options - This is a Hash that contains all of the key/value pairs that define an index. For reference, please see Splunk's online documentation to understand what the valid options are for this property.

Example

A test recipe is embedded in this cookbook. Please look at test/fixtures/cookbooks/test/recipes/splunk_index.rb.

splunk_monitor

Adds a Splunk monitor stanza into a designated inputs.conf file in a "chef-erized" way using standard Chef DSL vernacular. This resource also validates supported monitors and index names as documented by Splunk. The dictionary is created from documentation on Splunk's website.

Upon convergence, this resource will add a new stanza to the inputs.conf file, as needed, and modify or add new lines to the section based on properties given to the resource. If the current stanza in the inputs.conf file has any extra lines that are not listed as a valid property in this resource, those lines are automatically removed.

Actions

:create - Installs or updates a monitor:// stanza into the inputs.conf file
:remove - Removes a stanza from the inputs.conf file

Properties

These properties are specific to this resource:

monitor_name - this is the text naming each monitoring stanza (e.g., monitor:///opt/splunk/var/log/splunk/splunkd.log). Only the path to the file that Splunk should monitor is required in this property. The resource will prepend the necessary monitor:// to this property.
inputs_conf_path - this is the target path and filename to the inputs.conf
backup - similar to the backup property of other file/template resources in chef, this specifies a number of backup files to retain or false to disable (Default: 5)

These resource properties are drawn from Splunk's @documentation. Refer to https://docs.splunk.com/@documentation/Splunk/8.0.2/Data/Monitorfilesanddirectorieswithinputs.conf for more detailed description of these properties.

host
index
sourcetype
queue
_TCP_ROUTING
host_regex
host_segment

The following are additional settings you can use when defining monitor input stanzas.

source
crcSalt
ignoreOlderThan
followTail
whitelist
blacklist
alwaysOpenFile
recursive
time_before_close
followSymlink

Example

A test recipe is embedded in this cookbook. Please look at test/fixtures/cookbooks/test/recipes/splunk_monitor.rb

splunk_installer

The Splunk Enterprise and Splunk Universal Forwarder package installation is the same, save for the name of the package and the URL to download. This custom resource abstracts the package installation to a common baseline. Any new platform installation support should be added by modifying the custom resource as appropriate. One goal of this custom resource is to have a single occurrence of a package resource, using the appropriate "local package file" provider per platform. For example, on RHEL, we use rpm and on Debian we use dpkg.

Package files will be downloaded to Chef's file cache path (e.g., file_cache_path in /etc/chef/client.rb, /var/chef/cache by default).

Actions

:run: install the splunk server or splunk universal forwarder
:remove: uninstall the splunk server or splunk universal forwarder
:upgrade: upgrade an existing splunk or splunk universal forwarder package

The custom resource has two parameters.

name: The name of the package (e.g., splunk, splunkforwarder).
url: The URL to the package file.
package_name: This is the name of the package to install, if it is different from the resource name.
version: install/upgrade to this version, if url is not given

Examples

For example, if the nodes in the environment are all Debian-family, and the desired splunkforwarder package is provided locally as splunkforwarder.deb on an internal HTTP server:

splunk_installer 'splunkforwarder' do
  url 'https://www-int.example.com/splunk/splunkforwarder.deb'
end

The install_forwarder and install_server recipes use the custom resource with the appropriate url attribute.

Recipes

This cookbook has several composable recipes that can be used in a role, or a local "wrapper" cookbook. The default, client, and server recipes are intended to be used wholesale with all the assumptions they contain.

The general default assumption is that a node including the default recipe will be a Splunk Universal Forwarder (client).

client

This recipe encapsulates a completely configured "client" - a Splunk Universal Forwarder configured to talk to a node that is the splunk server (with node['splunk']['is_server'] true). The recipes can be used on their own composed in a wrapper cookbook or role. This recipe will include the user, install_forwarder, service, and setup_auth recipes.

It will also search a Chef Server for a Splunk Enterprise (server) node with splunk_is_server:true in the same chef_environment and write out etc/system/local/outputs.conf with the server's IP and the receiver_port attribute in the Splunk install directory (/opt/splunkforwarder).

Setting node['splunk']['outputs_conf'] with key value pairs updates the outputs.conf server configuration with those key value pairs. These key value pairs can be used to setup SSL encryption on messages forwarded through this client:

# Note that the ssl CA and certs must exist on the server.
node['splunk']['outputs_conf'] = {
  'sslCommonNameToCheck' => 'sslCommonName',
  'sslCertPath' => '$SPLUNK_HOME/etc/certs/cert.pem',
  'sslPassword' => 'password'
  'sslRootCAPath' => '$SPLUNK_HOME/etc/certs/cacert.pem'
  'sslVerifyServerCert' => false
}

The inputs.conf file can also be managed through this recipe if you want to setup a splunk forwarder just set the default host:

node['splunk']['inputs_conf']['host'] = 'myhost'

Then set up the port configuration for each input port:

node['splunk']['inputs_conf']['ports'] =
[
  {
    port_num => 123123,
    config => {
      'sourcetype' => 'syslog',
      ...
    }
  },
  ...
]

default

It will include the client or server recipe depending on whether the is_server attribute is set.

The attribute use allows users to control the included recipes by easily manipulating the attributes of a node, or a node's roles, or through a wrapper cookbook.

disabled

In some cases it may be required to disable Splunk on a particular node. For example, it may be sending too much data to Splunk and exceed the local license capacity. To use the disabled recipe, set the node['splunk']['disabled'] attribute to true, and add recipe[chef-splunk::disabled] to a node's run list

install_forwarder

This recipe uses the splunk_installer custom resource to install the splunkforwarder package from the specified URL (via the node['splunk']['forwarder']['url'] attribute).

install_server

This recipe uses the splunk_installer custom resource to install the splunk (Enterprise server) package from the specified URL (via the node['splunk']['server']['url'] attribute).

server

This recipe encapsulates a completely configured "server" - Splunk Enterprise configured to receive data from Splunk Universal Forwarder clients. The recipe sets the attribute node['splunk']['is_server'] to true, and is included from the default recipe if the attribute is true as well. The recipes can be used on their own composed in a wrapper cookbook or role, too. This recipe will include the user, install_server, service, and setup_auth recipes. It will also conditionally include the setup_ssl and setup_clustering recipes if enabled via the corresponding node attributes, as defined in Attributes above.

It will also enable Splunk Enterprise as an indexer, listening on the node['splunk']['receiver_port'].

service

This recipe sets up the splunk service, and applies to both client and server use, since splunk is the same service for both deployments of Splunk.

The attribute node['splunk']['accept_license'] must be true in order to set up the boot script. If it's true, then the boot script gets put into place (/etc/init.d/splunk on Linux/Unix systems), with the license accepted. The service is managed using the Chef init service provider, which operates by using the /etc/init.d/splunk script for start, stop, restart, etc commands.

setup_auth

This recipe loads an encrypted data bag with the Splunk user credentials as an -auth string, 'user:password', using the chef-vault cookbook helper method, chef_vault_item. See Usage for how to set this up. The recipe will edit the specified user (assuming admin), and then write a state file to etc/.setup_admin_password to indicate in future Chef runs that it has set the password. If the password should be changed, then that file should be removed.

setup_clustering

This recipe sets up Splunk indexer clustering based on the node's clustering mode or node['splunk']['clustering']['mode']. The attribute node['splunk']['clustering']['enabled'] must be set to true in order to run this recipe. Similar to setup_auth, this recipes loads the same encrypted data bag with the Splunk secret key (to be shared among cluster members), using the chef-vault cookbook helper method, chef_vault_item. See Usage for how to set this up. The recipe will edit the cluster configuration, and then write a state file to etc/.setup_cluster_{master|slave|searchhead} to indicate in future Chef runs that it has set the node's indexer clustering configuration. If cluster configuration should be changed, then that file should be removed.

It will also search a Chef Server for a Splunk Enterprise (server) node of type cluster master, that is with splunk_clustering_enable:true and splunk_clustering_mode:master in the same chef_environment and use that server's IP when configuring a cluster search head or a cluster peer node to communicate with the cluster master (Refer to master_uri attribute of clustering stanza in etc/system/local/server.conf).

Indexer clustering is used to achieve some data availability & recovery. To learn more about Splunk indexer clustering, refer to Splunk Docs.

setup_shclustering

This recipe sets up Splunk search head clustering. The attribute node['splunk']['shclustering']['enabled'] must be set to true in order to run this recipe. Similar to setup_auth, this recipes loads the same encrypted data bag with the Splunk secret key (to be shared among cluster members), using the chef-vault cookbook helper method, chef_vault_item. See Usage for how to set this up. The recipe will edit the cluster configuration, and then write a state file to etc/.setup_shcluster to indicate in future Chef runs that it has set the node's search head clustering configuration. If cluster configuration should be changed, then that file should be removed.

It will also search a Chef Server for a Splunk Enterprise (server) node of type cluster master, that is with splunk_shclustering_enable:true and the same splunk_shclustering_label in the same chef_environment and use that server's IP when building the list of shcluster_members.

The search head cluster configuration is deployed as a custom Splunk app that is written to etc/apps/0_autogen_shcluster_config to take advantage of Splunk's built in config layering. All nodes with splunk_shclustering_enable:true will receive this app.

On the first Chef run on a node with splunk_shclustering_mode:captain, this recipe will build and execute the Splunk command to bootstrap the search head cluster and initiate the captain election process.

In addition to using this recipe for configuring the search head cluster members, you will also have to manually configure a search head instance to serve as the search head cluster's deployer. This is done by adding a [shclustering] stanza to that instance's etc/system/local/server.conf with the same pass4SymmKey = <secret> and the same shcluster_label = <splunk_shclustering_label>. This deployer is optional, but should be configured prior to running the bootstrap on the captain and then the search head cluster member nodes configured with this deployer node's mgmt_uri set in the member node's splunk_shclustering_deployer_url

Search head clustering is used to achieve high availability & scaling. To learn more about Splunk search head clustering, refer to Splunk Docs.

upgrade

Important Read the upgrade documentation and release notes for any particular Splunk version upgrades before performing an upgrade. Also back up the Splunk directory, configuration, etc.

This recipe can be used to upgrade a splunk installation, for example from an existing 7.3.2 to 8.0.1. The default recipe can be used for 8.0.1 after upgrading earlier versions have been completed. Note that the attributes file is only loaded w/ the URLs to the splunk packages to upgrade if the node['splunk']['upgrade_enabled'] attribute is set to true. We recommend setting the actual URL attributes needed in a wrapper cookbook or role.

user

This recipe manages the splunk user and group. On Linux systems, the user and group will be created with the system attribute; other platforms may not be aware of system users/groups (e.g., illumos/solaris). Both resources will be created with the UID or GID of the node['splunk']['user']['uid'] attribute. The default value is 396, arbitrarily chosen to fall under the system UID/GID set by /etc/login.defs on both RHEL and Debian family Linux systems. If this is a conflicting UID/GID, then modify the attribute as required.

Usage

Data Bag Items

Splunk Secrets & Admin User Authentication

Splunk secret key and admin user authentication information should be stored in a data bag item that is encrypted using Chef Vault. Create a data bag named vault, with an item splunk_CHEF-ENVIRONMENT, where CHEF-ENVIRONMENT is the node.chef_environment that the Splunk Enterprise server will be assigned. If environments are not used, use _default. For example in a Chef Repository (not in a cookbook):

# data_bags/vault/splunk__default.json
{
  "id": "splunk__default",
  "auth": "admin:notarealpassword",
  "secret": "notarealsecret"
}

Or with an environment, 'production':

# data_bags/vault/splunk_production.json
{
  "id": "splunk_production",
  "auth": "admin:notarealpassword",
  "secret": "notarealsecret"
}

Then, upload the data bag item to the Chef Server using the chef-vault knife encrypt plugin (first example, _default environment):

knife encrypt create vault splunk__default \
    --json data_bags/vault/splunk__default.json \
    --search 'splunk:*' --admins 'yourusername' \
    --mode client

More information about Chef Vault is available on the GitHub Project Page.

Chef-Vault encrypted data bag fallback

The use of chef-vault is entirely optional. However, this cookbook maintains the structure of the encrypted data bags used throughout for those folks who prefer chef-vault. If you are one of the folks that don't want or can't use chef-vault, here is what you do.

First, chef-vault has a built-in mechanism to fallback to a standard encrypted data bag. So, in order to make use of this, set the following attribute:

node.force_default['chef-vault']['data_bag_fallback'] = true

The next step is to create a standard encrypted data bag. There are only two requirements to ensure your encrypted data bag is compatible with this cookbook, as follows. The steps below are very similar to the previous section; however, you will notice these steps are not using chef-vault.

Your data bag must conform to the data bag that is created by chef-vault.
Data bag items created in the data bag must also conform to the names created by chef-vault.

Create a data bag named vault, with an item splunk_CHEF-ENVIRONMENT, where CHEF-ENVIRONMENT is the node.chef_environment that the Splunk Enterprise server will be assigned. If environments are not used, use _default. For example in a Chef Repository (not in a cookbook):

# data_bags/vault/splunk__default.json
{
  "id": "splunk__default",
  "auth": "admin:notarealpassword",
  "secret": "notarealsecret"
}

Or with an environment, 'production':

# data_bags/vault/splunk_production.json
{
  "id": "splunk_production",
  "auth": "admin:notarealpassword",
  "secret": "notarealsecret"
}

Below is an example for a node that is in the _default chef environment using the json file above.

knife data bag create vault
knife data bag from file vault data_bags/vault/splunk__default.json --secret-file ~/.chef/your_encrypted_data_bag_secret.key

That's all there is to it!

Web UI SSL

A Splunk server should have the Web UI available via HTTPS. This can be set up using self-signed SSL certificates, or "real" SSL certificates. This loaded via a data bag item with chef-vault. Using the defaults from the attributes:

# data_bags/vault/splunk_certificates.json
{
  "id": "splunk_certificates",
  "data": {
    "self-signed.example.com.crt": "-----BEGIN CERTIFICATE-----\n...SNIP",
    "self-signed.example.com.key": "-----BEGIN RSA PRIVATE KEY-----\n...SNIP"
  }
}

Like the authentication credentials above, run the knife encrypt command. Note the search here is for the splunk server only:

knife encrypt create vault splunk_certificates \
    --json data_bags/vault/splunk_certificates.json \
    --search 'splunk_is_server:true' --admins 'yourusername' \
    --mode client

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

chef-splunk's People

Contributors

Stargazers

Watchers

Forkers

mhorbul juliandunn springworks stanchan iapilgrim rafeequl cru-luis-rodriguez jitzpop maniaphobic janpiper dcparker88 darkarnium shaydenofziger priestjim trumant sskhiri toutapp agarfu bitpusher-real bryanwb lukaszbb ybsyed rarsan saimak sergiuv2020 developerinlondon don450p ekometti mikkoc ravenb sauraus tophercullen foreflight crossroads telekomatrix gannettdigital tfly-cookbooks devopschina maar4569 dreamnite etiennegrignon-intuit cmatthews-ww sjthespian rachitlohani jcastillocano arnaud036 sundar85 bcorner13 eeyun mtamilselvan vidkun raboo jparten narendramannam amirofmn codelinx sbdevaws ampledata lochnesh anapsix barianet yodasantu mferno thoutenbos schubergphilis rcreddy06 mbopartnersinc sinnik sgoogal thiruyadav seboagwu tekenthusiast shapeofarchitect bamoyer3333 mattmencel mskdenigma gcristof qubitrenegade ist-lmc cvasq sapr0 jasonconger raghukumarc gwagner kgunnit eheydrick dewars mkristan bagir32 mikkopiu clarkpeters injeti-manohar c-o-b rx007 jackyen haidangwa edwardzheng86 jesusoctavioas dmalicia-fuze barrowkwan

chef-splunk's Issues

Using ['splunk']['forwarder']['url'] of version 7+ causes run to fail.

Can we please have an update to this Cookbook to support v7+ of the Splunk package. When setting the ['splunk']['forwarder']['url'] to such a version the Cookbook fails (tested as Universal Forwarder) as various filesystem paths have changed (E.g. UniversalForwarder seems to have turned in to an App under the main Splunk directory as opposed to /opt/universalforwarder.)

systemd prevents splunk user from starting on port 443

Cookbook version

1.7.3

Chef-client version

12+

Platform Details

centos 7 and rhel 7

Scenario:

The systemd splunk.service config uses the splunk user to start/stop/restart the service. However, it does not have permission to use port 443 (privileged port).

Steps to Reproduce:

Run server-cluster-master-centos-7 test suite in Kitchen

kitchen test server-cluster-master-centos-7

Expected Result:

Test should pass

Actual Result:

The test fails and further debugging reveals that the splunk user does not have permission to use port 443.

           ================================================================================
           Error executing action `restart` on resource 'service[splunk]'
           ================================================================================
           
           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '1'
           ---- Begin output of /bin/systemctl --system restart splunk ----
           STDOUT: 
           STDERR: Job for splunk.service failed because the control process exited with error code. See "systemctl status splunk.service" and "journalctl -xe" for details.
           ---- End output of /bin/systemctl --system restart splunk ----
           Ran /bin/systemctl --system restart splunk returned 1
           
           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/chef-splunk/recipes/service.rb
           
            84:   service 'splunk' do
            85:     supports status: true, restart: true
            86:     provider Chef::Provider::Service::Systemd
            87:     action [:enable, :start]
            88:   end
            89: else

-- Subject: Unit splunk.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit splunk.service has begun starting up.
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com splunk[4123]: Splunk> Be an IT superhero. Go home early.
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com splunk[4123]: Checking prerequisites...
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com splunk[4123]: Checking http port [443]: not available
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com splunk[4123]: ERROR: http port [443] - no permission to use address/port combi
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com systemd[1]: splunk.service: control process exited, code=exited status=1
Oct 01 15:37:36 server-cluster-master-centos-7.vagrantup.com systemd[1]: Failed to start Splunk.
-- Subject: Unit splunk.service has failed

Bump rev so supermarket will see updates

Please bump the rev to 1.6.x or 1.7.x. There are changes such as 'server_list' that would be very useful, but only exist in master.

Version 1.6.0 in supermarket is not the same that version 1.6.0 in github

When I download the supermarket version of chef-splunk 1.6.0 the recipe client.rb does not contain the proper code to handle the attribute node['splunk']['server_list'] if the splunk server is set statically instead of searching.
However, when I download the github version 1.6.0, the client.rb contains the proper entry to assign the content of node['splunk']['server_list'] to the variable server_list:


# fallback to statically defined server list as alternative to search
server_list = node['splunk']['server_list'] if server_list.empty?

This piece of code is missing from the same version in supermarket.

Please, you could check and synchronize supermarket with the correction?

disable Transparent Hugepages in recipe

As a feature request, please consider adding a snippet to disable THP on linux hosts, so that the recipe mirrors what consultants seem to be recommending for better performance.

Based on the alternatives, I'd recommend a simple change to Grub (/etc/default/grub if it's there; /etc/grub.conf if not (EL<7)).

sed -i~ '
  /GRUB_CMDLINE_LINUX/s/"$/transparent_hugepage=never"/
' /etc/default/grub

sed -i~ '
  /^[^#]kernel /s/$/ transparent_hugepage=never/
' /etc/grub.conf

... but I don't relish that task due to the risk! (no, there's no simple sysctl tweak that I saw)

Download fails (404)

Seems that Splunk might have changed the download procedure so that the installation package download requires registration & sign-in which prevents the use of default download url for this cookbook. Result for downloading any of the packages is "404 not found".

splunk_app lwrp does not work unless running as root

I'm having trouble getting the splunk_app LWRP to work properly when node['splunk']['server']['runasroot'] = false. I've added some test-kitchen tests in my fork, but they're currently failing during converge.

Below is a snippet from kitchen converge -l debug

In handler 'localapps': Cannot update application info: /nobody/bistro/app/install/state = disabled: Data could not be written: /nobody/bistro/app/install/state: disabled


     ================================================================================
     Error executing action `run` on resource 'execute[splunk-disable-bistro]'
     ================================================================================

     Mixlib::ShellOut::ShellCommandFailed
     ------------------------------------
     Expected process to exit with [0], but received '22'
     ---- Begin output of /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword ----
     STDOUT: 
     STDERR: In handler 'localapps': Cannot update application info: /nobody/bistro/app/install/state = disabled: Data could not be written: /nobody/bistro/app/install/state: disabled

     Ran /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword returned 22

     Resource Declaration:
     ---------------------
     # In /tmp/kitchen/cache/cookbooks/chef-splunk/libraries/splunk_app_provider.rb

     109:           execute "splunk-disable-#{new_resource.app_name}" do
     110:             command "#{splunk_cmd} disable app #{new_resource.app_name} -auth #{splunk_auth(new_resource.splunk_auth)}"
     111:             not_if { ::File.exist?("#{splunk_dir}/etc/disabled-apps/#{new_resource.app_name}") }
     112:             notifies :restart, 'service[splunk]'
     113:           end
     114:         end


     ------------------
     # Declared in /tmp/kitchen/cache/cookbooks/chef-splunk/libraries/splunk_app_provider.rb:109:in `block in <class:SplunkApp>'

     execute("splunk-disable-bistro") do
action [:run]
retries 0
retry_delay 2
default_guard_interpreter :execute
command "/opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword"
backup 5
 returns 0
declared_type :execute
cookbook_name "test"
not_if { #code block }
     end



   ================================================================================
   Error executing action `disable` on resource 'splunk_app[bistro-disable]'
   ================================================================================

   Mixlib::ShellOut::ShellCommandFailed
   ------------------------------------
   execute[splunk-disable-bistro] (/tmp/kitchen/cache/cookbooks/chef-splunk/libraries/splunk_app_provider.rb line 109) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '22'
   ---- Begin output of /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword ----
   STDOUT: 
   STDERR: In handler 'localapps': Cannot update application info: /nobody/bistro/app/install/state = disabled: Data could not be written: /nobody/bistro/app/install/state: disabled
   ---- End output of /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword ----
   Ran /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword returned 22

   Resource Declaration:
   ---------------------
   # In /tmp/kitchen/cache/cookbooks/test/recipes/default.rb

    10: splunk_app 'bistro-disable' do
    11:   app_name 'bistro'
    12:   splunk_auth 'admin:notarealpassword'
    13:   action [:disable, :remove]
    14: end


   Compiled Resource:
   ------------------
   # Declared in /tmp/kitchen/cache/cookbooks/test/recipes/default.rb:10:in `from_file'

   splunk_app("bistro-disable") do
     action [:disable, :remove]
     retries 0
     retry_delay 2
     default_guard_interpreter :default
     declared_type :splunk_app
     cookbook_name "test"
     recipe_name "default"
 splunk_auth "admin:notarealpassword"
     app_name "bistro"
   end

This is happening because /opt/splunk/etc/apps/bistro/local is owned by root. Here's what I did to confirm that:

$ kitchen login server-lwrps-ubuntu-1404
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Tue Aug 11 02:11:28 2015 from 10.0.2.2
vagrant@server-lwrps-ubuntu-1404:~$ sudo /opt/splunk/bin/splunk disable app bistro -auth admin:notarealpassword

 In handler 'localapps': Cannot update application info: /nobody/bistro/app/install/state = disabled: Data could not be written: /nobody/bistro/app/install/state: disabled
vagrant@server-lwrps-ubuntu-1404:~$ ls -al /opt/splunk/etc/apps/bistro/
total 80
drwxrwxr-x 10 splunk splunk  4096 Aug 11 02:17 .
drwxr-xr-x 16 splunk splunk  4096 Aug 11 02:17 ..
drwxrwxr-x  3 splunk splunk  4096 Aug 11 02:17 appserver
-rw-rw-r--  1 splunk splunk   642 Aug 11 02:17 Cheffile
-rw-rw-r--  1 splunk splunk   403 Aug 11 02:17 Cheffile.lock
drwxrwxr-x  6 splunk splunk  4096 Aug 11 02:17 cookbooks
drwxrwxr-x  3 splunk splunk  4096 Aug 11 02:17 default
-rw-rw-r--  1 splunk splunk   397 Aug 11 02:17 Gemfile
-rw-rw-r--  1 splunk splunk  2362 Aug 11 02:17 Gemfile.lock
-rwxrwxr-x  1 splunk splunk 10174 Aug 11 02:17 LICENSE.txt
drwxr-xr-x  2 root   root    4096 Aug 11 02:17 local          <- owned by root
-rwxrwxr-x  1 splunk splunk  1416 Aug 11 02:17 Makefile
drwxrwxr-x  2 splunk splunk  4096 Aug 11 02:17 metadata
-rw-rw-r--  1 splunk splunk   339 Aug 11 02:17 README.md
drwxrwxr-x  2 splunk splunk  4096 Aug 11 02:17 roles
drwxrwxr-x  3 splunk splunk  4096 Aug 11 02:17 site-cookbooks
drwxrwxr-x  3 splunk splunk  4096 Aug 11 02:17 tmp
-rw-rw-r--  1 splunk splunk   786 Aug 11 02:17 Vagrantfile
vagrant@server-lwrps-ubuntu-1404:~$ sudo chown -R splunk:splunk /opt/splunk/etc/apps/bistro/local
vagrant@server-lwrps-ubuntu-1404:~$ sudo /opt/splunk/bin/splunk disable app bistro
App 'bistro' disabled                                         <- hooray!
vagrant@server-lwrps-ubuntu-1404:~$

Edit: updated links - I've rebased the fork to remove the new matchers, in preparation for a PR which will fix this issue.

undefined method `provides' (breaks Chef 11 support)

With Chef 11 I get this "undefined method" error when running this cookbook, which is similar to this chef-vault issue: chef-boneyard/chef-vault#36

This is caused by the change in this commit: f06b03b

This essentially breaks support on Chef 11. Could you please either update the "Requirements" section in the README.md file to reflect that Chef 11 is no longer supported, or update the "libraries/splunk_app_provider.rb" file to support Chef 11 installations?

Thanks =)

splunkforwarder failing to install because of license terms prompt.

After upgrading splunkforwarder, service[splunk] resource is failing to restart splunkforwarder because of its prompt for the user to accept license terms. This is despite the fact that we're passing in the --answer-yes flag. Per my testing this is because we're also passing in the --no-prompt.

Cookbook version: 1.3.0
Splunkforwarder version: splunkforwarder-6.1.3-220630-linux-2.6-amd64.deb

Blame: a41008d
Blame: df40fef

To Reproduce

Converge with Cookbook < 1.3.0.
Update Cookbook to 1.3.0.
Converge with Cookbook >= 1.3.0.

Expected Results

Cookbook should upgrade Splunk to at least 6.1.3.
Splunk should automatically accept terms and [start|restart].

Actual Results

Cookbook upgrades Splunk to 6.1.3.
Splunk DOES NOT automatically accept terms and start.

Work Around

Add a resource-wrapper to remove $SPLUNK_HOME/ftr NOT RECOMMENDED DRAGONS

Log

[2014-10-27T18:57:34+00:00] INFO: Processing service[splunk] action start (chef-splunk::service line 79)

================================================================================
Error executing action `start` on resource 'service[splunk]'
================================================================================


Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '2'
---- Begin output of /etc/init.d/splunk start ----
STDOUT: Starting Splunk...
STDERR: License not yet accepted, but executed with no-prompt flag.  Exiting.
---- End output of /etc/init.d/splunk start ----
Ran /etc/init.d/splunk start returned 2


Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb

 79: service 'splunk' do
 80:   supports :status => true, :restart => true
 81:   provider Chef::Provider::Service::Init
 82:   action :start
 83: end



Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb:79:in `from_file'

service("splunk") do
  provider Chef::Provider::Service::Init
  action [:start]
  supports {:status=>true, :restart=>true}
  retries 0
  retry_delay 2
  service_name "splunk"
  pattern "splunk"
  startup_type :automatic
  cookbook_name "chef-splunk"
  recipe_name "service"
end



[2014-10-27T18:57:36+00:00] INFO: Running queued delayed notifications before re-raising exception
[2014-10-27T18:57:54+00:00] INFO: template[/opt/splunkforwarder/etc/system/local/outputs.conf] sending restart action to service[splunk] (delayed)
[2014-10-27T18:57:54+00:00] INFO: Processing service[splunk] action restart (chef-splunk::service line 79)

================================================================================
Error executing action `restart` on resource 'service[splunk]'
================================================================================


Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of /etc/init.d/splunk restart ----
STDOUT: Restarting Splunk...
splunkd is not running.
                    SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE INSTALLATION
AND USE OF THE SPLUNK SOFTWARE DESCRIBED HEREIN. THE INSTALLATION AND USE OF THE
SPLUNK SOFTWARE WILL BE SUBJECT TO THE ORDER DOCUMENT(S).

YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN
ORDER TO DOWNLOAD THE SOFTWARE, REGISTER THE SOFTWARE WITH SPLUNK AND OBTAIN
LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR THE SOFTWARE. 
BY CLICKING ON THE "YES" BUTTON OR OTHER BUTTON OR MECHANISM DESIGNED TO
ACKNOWLEDGE AGREEMENT TO THE TERMS OF AN ELECTRONIC COPY OF THIS AGREEMENT, OR
DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE
SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT, INCLUDING ALL TERMS
INCORPORATED BY REFERENCE. THIS AGREEMENT IS ENFORCEABLE AGAINST ANY PERSON OR
ENTITY THAT USES THE SOFTWARE AND ANY PERSON OR ENTITY THAT USES THE SOFTWARE ON
ANOTHER PERSON'S OR ENTITY'S BEHALF. YOU AGREE THAT THIS AGREEMENT IS EQUIVALENT
TO ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU.  IF YOU AGREE TO THESE TERMS
ON BEHALF OF A BUSINESS OR A GOVERNMENT AGENCY, DEPARTMENT OR INSTRUMENTALITY,
YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS
AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF
THE BUSINESS.  IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.

THIS SOFTWARE IS BEING LICENSED AND NOT SOLD TO YOU.  SPLUNK PERMITS YOU TO
DOWNLOAD, INSTALL AND USE THE FUNCTIONALITY OR FEATURES OF THE SOFTWARE ONLY IN
ACCORDANCE WITH THE TERMS OF THIS AGREEMENT.

1.  DEFINITIONS.   Capitalized terms not otherwise defined herein can be found
in Exhibit A.

2.  TERM. This Agreement will be in effect perpetually unless earlier
terminated as provided herein (the "Term").

3.  LICENSE GRANTS.  Subject to your compliance with the terms and conditions
of this Agreement, including (as applicable) your timely payment of license fees
set forth in the applicable Order Document (the "License Fees"), Splunk grants
to you the following nonexclusive, worldwide, nontransferable, nonsublicensable,
revocable, limited licenses during the Term (or such other period of time
provided in your Order Document) to use solely for your Internal Business
Purpose:

3.1.  the Purchased Software to index no more than the peak daily volume of
uncompressed data set forth in your Order Document for which you have paid the
applicable License Fees (the "Purchased Peak Daily Volume");

3.2.  the Purchased Software to analyze and visualize data from the number of
Nodes or the Fractional Use of Nodes identified in the applicable Order
Document;

3.3.  the Splunk Extensions solely for use with the Software;

3.4.  the Purchased Software for Data Duplication; and

3.5.  the Splunk API solely for the purpose of developing Extensions for use
with the Software (collectively, "Your Extensions"). You agree to assume full
responsibility for the performance of Your Extensions, and shall indemnify, hold
harmless, and defend Splunk (including all of its officers, employees,
directors, subsidiaries, representatives, Affiliates and agents) and Splunk's
licensors and suppliers from and against any claims or lawsuits, including
attorney's fees and expenses, that arise or result from Your Extensions. You
retain title to and copyright for Your Extensions, subject to Splunk's title to
and copyright for the Splunk Materials as specified in Section 6 below.

3.6.  Some software components may be distributed with the Software.  If
separate license terms accompany those components, such separate license terms
apply to Your use of such components.

4.  FREE SPLUNK SOFTWARE AND EVALUATION SOFTWARE LICENSES.

4.1.  Free Splunk Software License. Subject to your compliance with the terms
and conditions of this Agreement, Splunk grants to you a non-exclusive,
worldwide, fully-paid up copyright license to use the Free Splunk Software
subject to the following conditions: (i) you may index no more than 500MB of
uncompressed data per day (the "Free Peak Daily Volume") and (ii) you may use
the Free Splunk Software only for your Internal Business Purposes. You
acknowledge that the Free Splunk Software may be limited in features, functions,
or have other limitations not present in the Purchased Software or Evaluation
Software.

4.2.  Evaluation Software Trial License.  Notwithstanding Section 2 of this
Agreement, if the applicable Order Document is limited to a free trial license
of the Evaluation Software or you are otherwise provided a free trial license of
the Evaluation Software, then the term will be limited to the free trial period
specified in the Order Document or with the license key (the "Trial Period").
This Agreement and any license rights granted hereunder will automatically
terminate at the end of the Trial Period, and there will be no renewal term. You
may install and use the Evaluation Software solely (i) to index no more than the
amount of uncompressed data per day provided in such Order Document or with the
license key (the "Trial Peak Daily Volume") or to analyze and visualize data
from no more than five (5) Nodes, as applicable; and (ii) for the purpose of
determining whether to purchase a commercial license to the Purchased Software,
and not for any revenue generation, commercial activity or other productive
business or developmental purpose. Any license keys provided for a free trial
will automatically expire and may cause the Evaluation Software to become
non-operational at the end of the Trial Period. If You wish to use the
Evaluation Software after the Trial Period expires, You agree to purchase the
applicable license.  By continuing to use the Evaluation Software after the
Trial Period expires, You acknowledge and agree that You shall be responsible
for any and all license fees required for such use. Splunk reserves the right to
exercise its rights under Section 9 of this Agreement to ensure compliance with
this Section 4.2.

4.3.  Limitations.  To the extent that any provision of this Section 4 is in
conflict with any other term or conditions of this Agreement, this Section 4
shall supersede such other terms and conditions with respect to the Free Splunk
Software or Evaluation Software, but only to the extent necessary to resolve the
conflict.  Splunk reserves the right to terminate your license to use the Free
Splunk Software or Evaluation Software at any time in its sole discretion. 
Provisions in this Agreement regarding License Fees, maintenance and support,
warranty and indemnification, including, without limitation, Sections 7, 8, 10,
11, and 13, will not apply to Free Splunk Software or Evaluation Software.

5.  SOFTWARE RESTRICTIONS. You agree not to (a) use the Splunk Materials or
Your Extensions except as expressly authorized in this Agreement and your Order
Document; (b) copy the Software (except as required to run the Software and for
reasonable backup purposes); (c) modify, adapt, or create derivative works of
the Software; (d) rent, lease, loan, resell, transfer, sublicense (including,
but not limited to, offering any of the functionality of the Splunk Materials or
Your Extensions on a service provider, hosted or time sharing basis) or
distribute the Splunk Materials or Your Extensions to any third party; (e)
decompile, disassemble or reverse-engineer the Software or otherwise attempt to
derive the Software source code; (f) disclose to any third party the results of
any benchmark tests or other evaluation of the Software; or (g) authorize any
third parties to do any of the above.  Any consultant, contractor, or agent
hired to perform services for you may operate the Software on your behalf under
these terms and conditions, provided that: (v) you are responsible for ensuring
that any such third party agrees to abide by and fully comply with the terms of
this Agreement on the same basis as applicable to you; (x) such use is only in
connection with your Internal Business Purpose; (y) such use does not represent
or constitute an increase in the scope of the licenses provided hereunder; and
(z) you remain fully liable for any and all acts or omissions by such third
parties related to this Agreement.  The Software will be configured to display
warnings, reduce available functionality, and/or cease searching data when the
Peak Daily Volume is reached.  Any violation of this Section shall be a material
breach of this Agreement subject to immediate termination of this Agreement for
which no notice from Splunk shall be required.

6.  OWNERSHIP. Splunk, its suppliers and/or its licensors own all worldwide
right, title and interest in and to the Splunk Materials, including all
worldwide patent rights (including patent applications and disclosures);
copyright rights (including copyrights, copyright registration and copy rights
with respect to computer software, software design, software code, software
architecture, firmware, programming tools, graphic user interfaces, reports,
dashboard, business rules, use cases, screens, alerts, notifications, drawings,
specifications and databases); trademark rights (including the goodwill
associated therewith); moral rights; trade secrets and other rights with respect
to confidential or proprietary information; know-how; other rights with respect
to inventions, discoveries, ideas, improvements, techniques, formulae,
algorithms, processes, schematics, testing procedures, technical information and
other technology; and any other intellectual and industrial property rights,
whether or not subject to registration or protection; and all rights under any
license or other arrangement with respect to the foregoing (the "Intellectual
Property Rights"). Except as expressly stated in this Agreement, Splunk does not
grant you any Intellectual Property Rights in the Splunk Materials, and all
right, title, and interest in and to all copies of the Splunk Materials not
expressly granted herein remain with Splunk, its suppliers and/or its licensors.
The Splunk Materials are copyrighted and protected by the laws of the United
States and other countries, and international treaty provisions. You may not
remove or obscure any copyright, trademark, and/or any other intellectual
property or other proprietary notices from the Splunk Materials.

7.  PURCHASED SOFTWARE LICENSE FEES. In order to access and use the Purchased
Software, you are required to pay to Splunk the License Fees, which are due
thirty (30) days from the date of the Splunk invoice. The License Fees will be
due and payable in accordance with the terms set forth in your Order Document.
Any failure to pay the License Fees in accordance with an Order Document may
result in automatic revocation and termination of this Agreement and all rights
and licenses granted hereunder in Splunk's sole discretion.  All License Fees
are non-refundable once paid.  Any fees and payment terms for Splunk Extensions
will be identified on your Order Document or on apps.splunk.com.

8.  MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual
maintenance and support fees set forth in your Order Document (the "Support
Fees"), which are due thirty (30) days from the date of the Splunk invoice,
Splunk will provide the level of Support for the Purchased Software identified
in your Order Document and in accordance with the support and maintenance terms
and conditions set forth on Exhibit B (the "Support and Maintenance Terms and
Conditions"), attached hereto and made a part hereof.  Splunk is not obligated
to support, update or upgrade the Evaluation Software or the Free Splunk
Software.

9.  SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will
furnish Splunk with a certification signed by your authorized representative
verifying that the Purchased Software or the Evaluation Software, as applicable,
is being used in accordance with the terms and conditions of this Agreement and
the applicable Order Document. Upon at least ten (10) days' prior written notice
and subject to applicable reasonable or national security requirements, if any,
Splunk may audit your use of the Purchased Software or the Evaluation Software
to ensure that you are in compliance with the terms of this Agreement and the
applicable Order Document. Any such audit will be conducted during regular
business hours at your facilities, will not unreasonably interfere with your
business activities and will be in compliance with your reasonable security
procedures. You will provide Splunk with reasonable access to the relevant
records and facilities for the Purchased Software or the Evaluation Software. If
an audit reveals that you have exceeded the Peak Daily Volume or the scope of
your license grant during the period audited, then Splunk will invoice you, and
you will promptly pay Splunk any underpaid fees based on Splunk's price list in
effect at the time the audit is completed. If the excess daily volume usage
exceeds ten percent (10%) of the Peak Daily Volume, then you will also pay
Splunk's reasonable costs of conducting the audit.  This Section shall survive
expiration or termination of this Agreement for a period of three (3) years.

10.  PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty
(30) days after the earlier of delivery of the Purchased Software or
registration of the Purchased Software with Splunk, the Purchased Software will
substantially achieve any material function described in documentation for the
Purchased Software published by Splunk. As Splunk and its Affiliates, licensors
and suppliers' sole liability and your sole remedy for any failure of the
Purchased Software to conform to this warranty, Splunk will repair or replace
(at Splunk's option) your copy of the Purchased Software.  You acknowledge that
the Evaluation Software and the Free Splunk Software are provided on an "as is"
basis, and Splunk disclaims any warranty or liability obligations to you of any
kind with respect to the Evaluation Software or the Free Splunk Software.

11.  WARRANTY DISCLAIMER. EXCEPT AS SET FORTH IN SECTION 10 ABOVE, SPLUNK, ITS
AFFILIATES, LICENSORS AND SUPPLIERS PROVIDE THE SPLUNK MATERIALS AS-IS AND
EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT, AND INTEGRATION, AND
WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. YOU AGREE THAT,
AS BETWEEN YOU AND SPLUNK, YOU ARE RESPONSIBLE FOR THE ACCURACY AND QUALITY OF
YOUR DATA INPUT INTO ANY SPLUNK MATERIALS.  BECAUSE THIS DISCLAIMER OF WARRANTY
MAY NOT BE VALID IN SOME STATES OR JURISDICTIONS, THE ABOVE DISCLAIMER MAY NOT
APPLY TO YOU.

12.  LIMITATION OF LIABILITY. TO THE EXTENT PERMITTED BY APPLICABLE LAW,
SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL
THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID
BY YOU TO SPLUNK UNDER THE APPLICABLE ORDER DOCUMENT GIVING RISE TO SUCH
LIABILITY IN THE TWELVE (12) MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH
LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT,
INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR
PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SPLUNK
MATERIALS OR SUBSTITUTE SUPPORT) ARISING OUT OF OR IN CONNECTION WITH THIS
AGREEMENT OR THE USE OR PERFORMANCE OF THE SPLUNK MATERIALS OR THE SUPPORT,
WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING
NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT
THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE
FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL
HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF
DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN
AND ANY ASSOCIATED CESSATION OF THE FUNCTIONS OF THE SPLUNK MATERIALS. BECAUSE
SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF
CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 
Splunk is acting on behalf of its Affiliates, licensors and suppliers for the
purpose of disclaiming, excluding and limiting obligations, warranties and
liability, but in no other respects and for no other purposes.

13.  PURCHASED SOFTWARE INDEMNITY. Provided your use of the Purchased Software
was in accordance with the terms of this Agreement, Splunk will defend,
indemnify and hold you harmless from and against any loss, damage, liability or
cost (including reasonable attorneys' fees) resulting from any third party claim
that the Purchased Software infringes or violates any third party's copyright,
trademark, rights; provided that you promptly notify Splunk in writing of any
and all such claims. In the event of any loss, damage, liability or cost for
which Splunk is obligated to indemnify you hereunder, Splunk shall have sole
control of the defense and all related settlement negotiations, and you shall
reasonably cooperate with Splunk in the defense and/or settlement thereof at
Splunk's expense; provided that you may participate in such defense using your
own counsel, at your own expense. The indemnification obligations set forth in
this Section constitute your sole remedy, and Splunk's sole liability, with
respect to any claims that the Purchased Software infringes any third party's
intellectual property rights

14.  CONFIDENTIAL INFORMATION.

14.1.  Confidential Information.  "Confidential Information" means any
technical or business information, ideas, materials, know-how or other subject
matter that is disclosed by one party to the other party that: (A) if disclosed
in writing, is marked "confidential" or "proprietary" at the time of such
disclosure; (B) if disclosed orally, is identified as "confidential" or
"proprietary" at the time of such disclosure, and is summarized in a writing
sent by the disclosing party to the receiving party within thirty (30) days
after any such disclosure; or (C) under the circumstances, a person exercising
reasonable business judgment would understand to be confidential or proprietary.
"Confidential Information" of Splunk shall include the Splunk Materials, source
code and the license keys to download the Software.

14.2.  Use and Disclosure Restrictions.  The party receiving Confidential
Information ("Recipient") agrees: (i) to maintain the Confidential Information
of the party disclosing such information (the "Discloser") in the strictest of
confidence; (ii) not to disclose such Confidential Information to any third
parties; and (iii) not to use any such Confidential Information for any purpose
other than in furtherance of this Agreement and the activities described herein.
Recipient will treat Confidential Information of the Discloser with the same
degree of care as it accords to its own Confidential Information, but in no
event with less than reasonable care. Recipient may disclose the Confidential
Information of Discloser to its directors, officers, employees and consultants
(collectively, "Representatives") who have a bona fide need to know such
Confidential Information, but solely to the extent necessary to pursue the
activities described herein and for no other purpose; provided that each such
Representative first executes a written agreement (or is otherwise already bound
by a written agreement) that contains use and nondisclosure restrictions at
least as protective of the other party's Confidential Information as those set
forth herein.

14.3.  Exclusions. The obligations of Recipient under Section 14.2 shall not
apply to any Confidential Information which: (a) is now or thereafter becomes
generally known or available to the public, through no act or omission on the
part of Recipient (or any of its Representatives, affiliates, or agents) or any
third party subject to any use or disclosure restrictions with respect to such
Confidential Information; (b) was known by or lawfully in the possession of
Recipient, prior to receiving such information from Discloser, without
restriction as to use or disclosure; (c) is rightfully acquired by Recipient
from a third party who has the right to disclose it and who provides it without
restriction as to use or disclosure; or (d) is independently developed by
Recipient without access to any Confidential Information of Discloser.

14.4.  Required Disclosures.  The provisions of Section 14.2 will not restrict
Recipient from disclosing Discloser's Confidential Information to the extent
required by any law or regulation or compelled by a court or administrative
agency of competent jurisdiction.

14.5.  Independent Development. Recipient reserves the right to develop and
market any technology, products or services or pursue business opportunities
that compete with or are similar to those disclosed by Discloser under this
Agreement without the use of the Discloser's Confidential Information. Nothing
contained in this Agreement shall prohibit or restrict Recipient from employing
general ideas, concepts or techniques which may be retained in the unaided human
memory by Recipient personnel in the course of their review of the Confidential
Information (but without any attempt to memorize such information). The
foregoing sentence shall not, however, grant Recipient any rights under any
patents or copyrights.

14.6.  Return or Destruction of Confidential Information.  Upon termination of
the Agreement or support and maintenance, Recipient will promptly return to
Discloser, or at Discloser's option, destroy, all tangible items and embodiments
containing or consisting of Discloser's Confidential Information and all copies
thereof and provide written certification of such destruction or return by an
authorized person.

15.  TERMINATION. You may terminate this Agreement at any time by providing to
Splunk a written statement signed by your authorized representative notifying
Splunk that you are terminating the Agreement. If you are not a U.S. Government
agency, department, or instrumentality, upon thirty (30) days notice, Splunk may
terminate this Agreement (and your license rights) upon notice in the event that
you breach any provision of this Agreement and have not cured the breach during
such notice period.  Notwithstanding the foregoing, a material breach of any
license granted to you shall be grounds for immediate termination.  If you are a
U.S. Government agency, department, or instrumentality, termination terms and
conditions shall be governed by 48 C.F.R. �� 52.212-4.  Upon any expiration or
termination of this Agreement, the rights and licenses granted hereunder will
automatically terminate, and you agree to immediately cease using the Splunk
Materials and to return or destroy all copies of the Splunk Materials, including
any documentation, and other Splunk Confidential Information in your possession
or control and certify in writing the completion of such return or destruction
in accordance with Section 14.6. In the event of termination of this Agreement,
Splunk will have no obligation to refund any License Fees, Support Fees, or
other fees received from you during the Term. Section 1 (Definitions), Section
3.5 (solely with respect to indemnity), Section 6 (Ownership), Section 9
(Software Verification and Audit), Section 11 (Warranty Disclaimer), Section 12
(Limitation of Liability), Section 13 (Purchased Software Indemnity), Section 15
(Termination) and Sections 16 (Severability) through 22 (General) shall survive
termination of this Agreement

16.  SEVERABILITY. Unless otherwise provided herein, all rights and remedies,
whether conferred hereunder or by any other instrument or law, will be
cumulative and may be exercised singularly or concurrently. The failure by
either party to enforce any provisions of this Agreement will not constitute a
waiver of any other right hereunder or of any subsequent enforcement of that or
any other provisions. The terms and conditions stated herein are declared to be
severable. If a court of competent jurisdiction holds any provision of this
Agreement invalid or unenforceable, the remaining provisions of the Agreement
will remain in full force and effect, and the provision affected will be
construed so as to be enforceable to the maximum extent permissible by law.

17.  EXPORT. You will comply fully with all relevant export laws and
regulations of the United States and any other country ("Export Laws") where you
use any of the Splunk Materials. You certify that you are not on any of the
relevant U.S. Government Lists of prohibited persons, including but not limited
to the Treasury Department's List of Specially Designated Nationals, and the
Commerce Department's List of Denied Persons or Entity List.  You further
certify that you shall not export, re-export, ship, transfer or otherwise use
the Splunk Materials in any country subject to an embargo or other sanction by
the United States, including Iran, Syria, Cuba, Sudan and North Korea and that
you shall not use the Splunk Materials for any purpose prohibited by the Export
Laws, including, but not limited to, nuclear, chemical, missile or biological
weapons related end uses.

18.  GOVERNMENT END USER RIGHTS.  You acknowledge that all Splunk Materials
were developed entirely at private expense and that no part of the Splunk
Materials was first produced in the performance of a Government contract.  You
agree that all Splunk Materials and any derivatives thereof are "Commercial
Items" as defined in 48 C.F.R. �� 2.101, and if You are a U.S. Government agency
or instrumentality or if You are providing all or any part of the Splunk
Material or any derivatives thereof to the U.S. Government, such use,
duplication, reproduction, release, modification, disclosure or transfer of this
commercial product and data, is restricted in accordance with 48 C.F.R. ��
12.211, 48 C.F.R. �� 12.212, 48 C.F.R. �� 227.7102-2, and 48 C.F.R. �� 227.7202, as
applicable.  Consistent with 48 C.F.R. �� 12.211, 48 C.F.R. �� 12.212, 48 C.F.R. ��
227.7102-1 through 48 C.F.R. �� 227.7102-3, and 48 C.F.R. ���� 227.7202-1 through
227.7202-4, as applicable, the Splunk Materials are licensed to U.S. Government
end users (i) only as Commercial Items and (ii) with only those rights as are
granted to all other users pursuant to this Agreement and any related
agreement(s), as applicable.  Accordingly, You will have no rights in the Splunk
Materials except as expressly agreed to in writing by You and Splunk.

19.  PUBLICITY.  You agree that Splunk may publish a brief description
highlighting your deployment of the Software, identify you as a Splunk customer
on any of Splunk's websites, client lists, press releases, and/or other
marketing materials.

20.  THIRD PARTY CONTENT DISCLAIMER. Most of the Extensions and content on
apps.splunk.com are submitted by third parties ("Third-Party Content"). Such
Third-Party Content is the sole responsibility of the originator of that
Third-Party Content. Splunk is not responsible for any Third-Party Content,
whether or not Splunk reviewed or moderated such Third Party Content. You agree
that you bear all risks associated with using or relying on the Third Party
Content.  Splunk does not in any way warrant the accuracy, reliability,
completeness, usefulness, non-infringement, or quality of any Third-Party
Content, regardless of who originated that content (including our employees,
partners, Affiliates or moderators), and even if an application is designated as
"certified". Splunk hereby disclaim all warranties, including, but not limited
to, any implied warranties of merchantability, quiet enjoyment, integration or
fitness for a particular purpose, relating to Third Party Content.  Splunk shall
not be liable or responsible in any way for any loss or damage of any kind,
including, but not limited to, lost profits, loss of use, data, business
interruption, costs of procuring substitute software or other indirect or
consequential damages, relating to your use of or reliance upon any Third Party
Content.

21.  CHOICE OF LAW AND DISPUTES.  The following Choice of Law and Disputes
terms and conditions shall apply under this Agreement: (i) For other than the
U.S. Government as a party, this Agreement shall be governed by and construed in
accordance with the laws of the State of California, as if performed wholly
within the state and without giving effect to the principles of conflict of law
rules of any jurisdiction or the United Nations Convention on Contracts for the
International Sale of Goods, the application of which is expressly excluded. Any
legal action or proceeding arising under this Agreement will be brought
exclusively in the federal or state courts located in San Francisco, California
and the parties hereby consent to personal jurisdiction and venue therein.  If a
dispute arises between You and Splunk, and either You or Splunk files suit in
any court of competent jurisdiction to enforce rights under this Agreement, then
the prevailing party shall be entitled to recover from the other party all costs
of such action or suit, including, but not limited to, investigative costs,
court costs and reasonable attorneys' fees (including expenses incurred to
collect those expenses). (ii) If a dispute arises between You and Splunk that is
related to a Government customer that is subject to the Contract Disputes Act,
41 U.S.C. �� 7101 et seq., concerning issues of fact or law which relate to this
Agreement (a "CDA Dispute"), the following dispute procedures shall apply.  If
the U.S. Government issues a final decision regarding a CDA Dispute, such
decision shall be provided within ten (10) days of receipt by You by written
notification to Splunk and subsequently binding upon Splunk to the same extent
it is binding upon You, subject to Splunk's right to seek additional time, cost
or both.  Splunk shall continue performance in accordance with the decision
pending any appeal that may be initiated pursuant to the provisions below.  If
You elect to appeal such decision under Your prime contract "Disputes" clause,
Splunk shall be permitted to participate fully in such appeal concerning issues
of fact or law which relate to this Agreement for the purpose of protecting
Splunk's interest.  You shall not enter into a settlement with the Government as
to any portion of the appeal affecting Splunk without Splunk's prior written
consent. If You elect not to appeal a CDA Dispute, such election must be made
within thirty (30) days of the Government's final decision and Company agrees to
notify Splunk within three (3) days after Company elects not to appeal.  If
Splunk elects to pursue appeal of such decision by the Contracting Officer,
Splunk shall provide written notice of such election to You, and the parties
shall enter into a sponsorship agreement pursuant to which Splunk shall have the
right to prosecute in Your name, any and all appeals arising from the
Government's determination.  Any such appeal brought by Splunk in Your name
shall be at the expense of Splunk, provided, however, that You, at Your expense,
shall provide Splunk with reasonable assistance in the presentation of such
appeal.  (iii) If You are the U.S. Government as a party to this Agreement, this
Agreement shall be governed by and interpreted in accordance with the Contract
Disputes Act of 1978, as amended (41 U.S.C. ���� 7101-7109).  Failure of the
parties to reach agreement on any request for equitable adjustment, claim,
appeal, or action arising under or relating to this Agreement shall be a dispute
to be resolved in accordance with the clause at 48 C.F.R �� 52.233-1, which is
incorporated in this Agreement by reference.

22.  GENERAL. All notices required or permitted under this Agreement or any
Exhibit hereto will be in writing and delivered in person, by confirmed
facsimile transmission, by overnight delivery service, or by registered or
certified mail, postage prepaid with return receipt requested, and in each
instance will be deemed given upon receipt.  All communications will be sent to
the addresses set forth in the applicable Order Document(s) or to such other
address as may be specified by either party to the other party in accordance
with this Section. You may not assign, delegate or transfer this Agreement, in
whole or in part, by agreement, operation of law or otherwise.  Splunk may
assign this Agreement in whole or in part to (i) an Affiliate, upon written
notice to you (such notice to be delivered electronically or otherwise) or (ii)
in connection with an internal reorganization or in connection with a merger,
acquisition, or sale of all or substantially all of Splunk's assets. Any attempt
to assign this Agreement other than as permitted herein will be null and void;
provided, however, Splunk may assign its rights to receive payment due as a
result of performance of this Agreement to a bank, trust company, or other
financing institution, including any Federal lending agency in accordance with
the Assignment of Claims Act (31 U.S.C. �� 3727) and may assign this Agreement in
accordance with the provisions at 48 C.F.R �� 42.12, as applicable. Subject to
the foregoing, this Agreement will bind and inure to the benefit of the parties'
permitted successors and assigns.  This Agreement along with any additional
terms incorporated herein by reference, including any Order Documents and any
Exhibits hereto, constitute the complete and exclusive understanding and
agreement between the parties and supersede any and all prior or contemporaneous
agreements, communications and understandings, written or oral, relating to
their subject matter. Any waiver, modification or amendment of any provision of
this Agreement will be effective only if in writing and signed by duly
authorized representatives of both parties.  Any terms and conditions contained
or referenced by either party in a quote, purchase order, acceptance, invoice or
any similar document purporting to modify the terms and conditions contained in
this Agreement shall be disregarded and have no effect unless otherwise
expressly agreed to by the parties in accordance with the preceding sentence.


EXHIBIT A
DEFINITIONS

1.  "Affiliate" means, with respect to any person or entity, any other person
or entity that directly or indirectly Controls or is Controlled by such person
or entity, from time to time, but only for so long as such Control exists.
"Control" and its grammatical variants mean (i) a general partnership interest
in a partnership, or (ii) the beneficial ownership of a majority of the
outstanding equity entitled to vote for directors.

2.  "Data Duplication" means an indexer that receives already indexed data
from another indexer or group of indexers that first processed the same data
under a valid Software license.

3.  "Cluster" means a group of Nodes administered by one Hadoop JobTracker or
Hadoop Resource Manager.

4.  "Enhancements" means any updates, upgrades, releases, fixes, enhancements
or modifications to the Software as provided under the terms and conditions
outlined in Exhibit B.

5.  "Evaluation Software" means Software licensed for internal evaluation
purposes and not for productive business use.

6.  "Extensions" mean any separate downloadable suite, add-on, example module,
command, function, or application which extends the Software.

7.  "Fractional Use of Nodes" means the greater of compute load or applicable
storage of the number of Nodes in Cluster(s) for a specific use case or business
unit, as identified in an Order Document.

8.  "Free Splunk Software" means Software licensed for free from Splunk.

9.  "Internal Business Purpose" means the use of any of the Splunk Materials,
as applicable, only for Your internal business use with Your systems, networks,
devices and data.  Such use does not include use of Your systems, networks or
devices as part of services You provide for a third party's benefit.

10.  "Node" means a 64 bit Linux operating system or any other operating
system identified in the documentation that runs Hadoop TaskTracker or Node
Manager to execute Splunk jobs.

11.  "Order Document(s)" mean the purchase order or any equivalent ordering
document and the order confirmation that detail the components, solutions, and
quantities of your purchase of Splunk Materials.

12.  "Peak Daily Volume" means the Purchased Peak Daily Volume, the Free Peak
Daily Volume and/or the Trial Peak Daily Volume, as applicable.

13.  "Purchased Software" means Software purchased through Splunk or other
channels.

14.  "Software" means the software components listed in the Order Document(s),
Free Splunk Software, and Evaluation Software which have a valid license, and
any applicable Enhancements thereof or thereto.

15.  "Splunk" means Splunk Inc., a Delaware corporation, 250 Brannan Street,
San Francisco, California 94107.

16.  "Splunk API" means the documentation and functionality included with the
Software which enable the creation of Extensions.

17.  "Splunk Extensions" mean any Extensions authored by Splunk and
downloadable through Splunk's online store.

18.  "Splunk Materials" mean the Software, Splunk API, and/or the Splunk
Extensions.


EXHIBIT B
SPLUNK INC.
SUPPORT AND MAINTENANCE TERMS AND CONDITIONS

You agree that the following terms and conditions ("Terms and Conditions") shall
govern the delivery of any support and/or maintenance services by Splunk
("Support") listed on an Order Document entered into pursuant to the Splunk
Software License Agreement (the "Agreement") to which these Terms and Conditions
are attached and made a part thereof.  Subject to your termination rights set
forth in the Agreement, ordering any Support from Splunk or any authorized
reseller indicates your acceptance of these Terms and Conditions.  These Terms
and Conditions are effective upon receipt and confirmation of acceptance of your
purchase order by Splunk or an authorized reseller (the "Effective Date").

1.  DEFINITIONS.   Unless otherwise defined in these Terms and Conditions,
capitalized terms shall have the meanings set forth in the Agreement.

2.  SUPPORT AND MAINTENANCE.

2.1.  Services.  Subject to your timely payment of the applicable annual
Support fees set forth in your Order Document(s) (the "Support Fees"), Splunk
will provide the level of Support identified in your Order Document(s) in
accordance with the Support descriptions set forth below.  Splunk will notify
(electronically or otherwise) you of any amendments to such Support descriptions
in each notice of term renewal. No other maintenance or support for the Software
is included in these Terms and Conditions.

2.2.  Support Fees.  Support Fees will be due and payable in accordance with
the Order Document(s). Splunk will notify (electronically or otherwise) you of
the then-current annual Support Fee for your level of Support in each notice of
term renewal. Support Fees will be non-refundable once paid.

2.3.  Exclusions.  Splunk will have no obligation of any kind to provide
Support for problems caused by or arising out of any of the following (each, a
"Licensee-Generated Error"): (i) modifications to the Software not made by
Splunk; (ii) use of the Software other than as authorized in the Agreement or as
provided in the documentation for the Software; (iii) damage to the media on
which the Software is provided or to the machine on which the Software is
installed; (iv) your negligence or fault; (v) versions of the Software other
than the most recent version or the Supported Prior Version (defined in Section
2.5.9); (vi) third-party products not expressly supported by Splunk; or (vii)
conflicts related to replacing or installing hardware, drivers, and software
that has not been Splunk certified.  If Splunk determines that it is necessary
to provide support for a problem caused by a Licensee-Generated Error, Splunk
will notify you thereof as soon as Splunk is aware of such Licensee-Generated
Error and Splunk will have the right to invoice you at Splunk's then-current
time and materials rates for any such support provided by Splunk.

2.4.  Restrictions.  Support is delivered in English only unless you are in a
location where Splunk has made localized Support available.

2.5.  Support Descriptions.

2.5.1.  Splunk Enterprise Support. Splunk Enterprise Support provides
telephone support, online documentation, web forums, email and a web-based
portal for submitting cases and tracking case status. Support cases are handled
based on case priority levels as described in Section 2.5.3.  When submitting a
case, customers select the priority for initial response by logging the case
online, in accordance with the priority guidelines set forth in Section 2.5.3. 
When the case is received, Splunk Customer Support may change the priority if
the issue does not conform to the criteria for the selected priority and will
provide you with notice (electronic or otherwise) of such change.  Splunk will
respond to Splunk Enterprise Support requests and will provide workarounds or
fixes in accordance with the guidelines set forth in Section 2.5.4.

2.5.2.  Splunk Global Support. Splunk Global Support provides the same
services as defined as Enterprise support and also provides a dedicated resource
to contact for meetings as frequently as weekly to monitor your support issues;
to provide additional status reports and metrics; and to coordinate and execute
a quarterly account status review at a mutually agreeable time.

2.5.3.  Case Priority Levels. Case priorities are assigned based on the
technical importance of the problem on your Splunk environment.

P1 = Splunk Software is completely inaccessible or the majority of its
     functionality is unusable.
P2 = One or more key features of Splunk Software are unusable.
P3 = Any other case where a Splunk Software feature is not operating as
     documented.
P4 = All enhancement requests.

2.5.4.  Target Fix, Workaround, Escalation and Response Times.

Initial Response & Acknowledgment, by case priority
Targeted Fix Date or Workaround, by case priority

P1: 4 hours             P1: 1 day
P2: Next business day   P2: 1 week
P3: Two business days   P3: Next release
P4: Two business days   P4: At Splunk's discretion

Escalation, by case priority
Email Status Updates for Open Cases, by case priority

P1: Manager: Immediate / VP: 1 business day                           P1: Daily
P2: Manager: 1 business day / VP: 1 week                              P2: Weekly
P3: VP Product Management reviews all open bugs quarterly             P3: None
P4: VP Product Management reviews all enhancement requests quarterly  P4: None

2.5.5.  Authorized Support Contacts. Support will be provided solely to the
authorized individual(s) specified by you that Splunk will communicate with when
providing Support ("Support Contacts"). Splunk strongly recommends that your
Support Contact(s) be trained on the Software. Your Order Document(s) will
indicate a maximum number of authorized Support Contacts for your license level.
You will be asked to designate your authorized support contacts, including their
primary email address and Splunk.com login ID, following Splunk's acknowledgment
of your Order Document(s).

2.5.6.  Defect Resolution. Should Splunk in its sole judgment determine that
there is a defect in the Software, it will, at its sole option, repair that
defect in the version of the Software that you are currently using or instruct
you to install a newer version of the Software with that defect repaired. Splunk
reserves the right to provide you with a workaround in lieu of fixing a defect
should it in its sole judgment determine that it is more effective to do so.

2.5.7.  Support Hours. Support is provided via telephone, email and web
portal. Support will be delivered by a member of Splunk's technical support team
during the regional hours of operation listed below.

Enterprise Support  Global Support

P1:  24 x 7  P1:  24 x 7

P2:  Monday through Friday by region (North America, APAC and EMEA) during
standard business hours (8 am to 5 pm); excluding Splunk holidays  P2:  24
hours per day during the five business days (Monday through Friday), excluding
Splunk holidays

P3:  Monday through Friday by region (North America, APAC and EMEA) during
standard business hours (8 am to 5 pm); excluding Splunk holidays  P3:  24
hours per day during the five business days (Monday through Friday), excluding
Splunk holidays

P4:  Monday through Friday by region (North America, APAC and EMEA) during
standard business hours (8 am to 5 pm); excluding Splunk holidays  P4:  Monday
through Friday by region (North America, APAC and EMEA) during standard business
hours (8 am to 5 pm); excluding Splunk holidays

2.5.8.  Your Obligation to Assist. Should you report a purported defect in the
Software to Splunk, Splunk may require you to provide them with the following
information: (a) a general description of the operating environment, (b) a list
of all hardware components, operating systems and networks, (c) a reproducible
test case, and (d) any log files, trace and systems files. Your failure to
provide this information may prevent Splunk from identifying and fixing that
purported defect.

2.5.9.  Software Upgrades and Software End of Life Policy. When available,
Splunk provides updates, upgrades, maintenance releases and reset keys only to
Splunk Enterprise or Global Support customers. Splunk Software comes with a
three digit number version. The first digit represents the major release (i.e.
upgrade), the second digit identifies the minor releases (i.e. updates) and the
third digit identifies the maintenance releases.  With a new major version, the
number to the left of the decimal is changed and for minor releases, the number
to the right of the decimal point is increased. If your Splunk Enterprise or
Global Support agreement expires, you will receive only maintenance releases,
when available.  Subject to the foregoing, Splunk provides full Support,
including, when available, bug fixes, only on the current major release and (a)
the immediately prior major release or (b) twenty-four months from the then
current major release, whichever period is greater  ("Supported Prior
Versions").

2.6.  Changes in Support and Software.  Subject to Section 2.5.9, You
acknowledge that Splunk has the right to discontinue the manufacture and
development of any Software and the Support for any Software, including, without
limitation, the distribution of older Software versions, at any time in its sole
discretion, provided that Splunk agrees not to discontinue Support for the
Software during the current annual term of these Terms and Conditions, subject
to the termination provisions herein.  Splunk reserves the right to alter
Support from time to time, using reasonable discretion but in no event shall
such alterations result in (i) diminished support from the level of Support set
forth herein; (ii) materially diminished obligations for Splunk; (iii)
materially diminished your rights; or (iv) higher Support Fees during the
then-current term.  Splunk shall provide you with thirty (30) days prior written
notice (delivered electronically or otherwise) of any permitted material changes
to the Support contemplated herein.

3.  TERM AND TERMINATION.

3.1.  Term.  These Terms and Conditions will commence on the date when Splunk
delivers the license key for the Software to you and, unless terminated earlier
in accordance with the terms of the Agreement, for a period of one (1) year
thereafter (the "Initial Term"). The agreement will automatically renew for
additional one (1)-year terms (each, a "Renewal Term," and the Initial Term,
collectively with any and all Renewal Terms, shall be referred to as the
"Support Term"), unless either party provides the other (or if purchased through
a reseller, you provide reseller) with written notice of its intent not to renew
the agreement at least thirty (30) days prior to the end of the then current
Initial Term or Renewal Term.   If you allow your Support Term to expire, then
you may seek to re-activate Support by submitting a purchase order that includes
fees for the lapsed period.

3.2.  Survival.  The rights and obligations of the parties contained in
Sections 1 and 3.2 will survive the expiration or termination of the Agreement,
these Terms and Conditions or any Order Document(s).

4.  FORCE MAJEURE.  Splunk will not be responsible for any failure or delay in
its performance under these Terms and Conditions due to causes beyond its
reasonable control, including, but not limited to, labor disputes, strikes,
lockouts, shortages of or inability to obtain labor, energy, raw materials or
supplies, war, acts of terror, riot, acts of God or governmental action.

Splunk rev.  9.11.2013
STDERR: tcgetattr: Invalid argument
WARNING: error changing terminal modes - password will echo!
Do you agree with this license? [y/n]:
---- End output of /etc/init.d/splunk restart ----
Ran /etc/init.d/splunk restart returned 1


Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb

 79: service 'splunk' do
 80:   supports :status => true, :restart => true
 81:   provider Chef::Provider::Service::Init
 82:   action :start
 83: end



Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb:79:in `from_file'

service("splunk") do
  provider Chef::Provider::Service::Init
  action [:start]
  supports {:status=>true, :restart=>true}
  retries 0
  retry_delay 2
  service_name "splunk"
  pattern "splunk"
  startup_type :automatic
  cookbook_name "chef-splunk"
  recipe_name "service"
end



[2014-10-27T18:57:55+00:00] ERROR: Running exception handlers

chef-vault doesn't appear to be reading new nodes added to the role.

Is anyone else having issue with this cookbook in where vault appears to not see/allow new nodes added to the role set in search to be able to read the vault

node['platform_family'] is now required and should be specified as such in the installer definition

After upgrading from v1.3 to v1.4, all of the specs for one of our projects started failing. It turns out that the project was not setting node['platform_family'], and this caused splunk_installer.rb's declare_resource block to receive a nil for local_package_resource unexpectedly.

I think the case statement from line 54 should have an else with a fail if node['platform_family'] is nil, but I'm not sure if it was your intention to make it required or not.

# cookbooks/chef-splunk/definitions/splunk_installer.rb:

 53:
 54:    local_package_resource = case node['platform_family']
 55:                             when 'rhel'   then :rpm_package
 56:                             when 'debian' then :dpkg_package
 57:                             when 'omnios' then :solaris_package
 58:                             end
 59:
 60:   declare_resource local_package_resource, params[:name] do
 61:      source cached_package.gsub(/\.Z/, '')
 62:      options pkgopts.join(' ') if platform?('omnios')
 63:    end
 64:  end
 65:

Cookbook apparently fails in airgap environment - what did I miss?

Cookbook version

chef-splunk (1.7.3)

Chef-client version

14.12.9 (pre-oracle-license)

Platform Details

centos7

Scenario:

On our network with no direct rubygems access, the cookbook seems to think it should hit rubygems. I'd like to prevent that harder.

Steps to Reproduce:

chef-client -o chef-splunk fails to run bundle-install in an air-gapped environment

devhost   - chef-splunk (1.7.3)
devhost   - chef-vault (3.0.0)
devhost Installing Cookbook Gems:
devhost
devhost Running handlers:
devhost [2019-06-28T08:44:48-07:00] ERROR: Running exception handlers
devhost Running handlers complete
devhost [2019-06-28T08:44:48-07:00] ERROR: Exception handlers complete
devhost Chef Client failed. 0 resources would have been updated
devhost [2019-06-28T08:44:48-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
devhost [2019-06-28T08:44:48-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
devhost [2019-06-28T08:44:48-07:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '17'
devhost ---- Begin output of bundle install ----
devhost STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
devhost installing your bundle as root will break this application for all non-root
devhost users on this machine.
devhost Fetching source index from https://www.rubygems.org/
devhost
devhost Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://www.rubygems.org/
devhost Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://www.rubygems.org/
devhost Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://www.rubygems.org/
devhost Could not fetch specs from https://www.rubygems.org/
devhost STDERR:
devhost ---- End output of bundle install ----
devhost Ran bundle install returned 17

I'll bet I haven't found all the ways chef now reaches out to the cosmos and sucks in planetoids from wherever, but I'm willing to check. My .gemrc says:

---
gem: --no-rdoc --no-ri
:verbose: false
:update_sources: true
install: --no-wrappers --no-user-install --conservative --minimal-deps
update: --no-wrappers --no-user-install --conservative --minimal-deps
:disable_default_gem_server: true
:sources:
- http://localrepo.our.net/gems/

And I'm sure that's not always enough. My chef experience is light, and please flame gently.

This looks like chef-boneyard/chef-vault#61 and sous-chefs/docker#682 and chef-boneyard/chef-vault#63 and, and, and.

convert splunk_installer definition to Chef 12.5 custom resource

We should replace the definition with a custom resource in the style of Chef 12.5. This obviously can't happen until 12.5 is released.

http://docs.chef.io/release/12-5/custom_resources.html
docs.chef.io/release/12-5/definitions.html

Chef-client run will fail on bootstrap

While bootstrapping a node with the chef-splunk recipe on the default runlist I get this error:

NoMethodError: undefined method `split' for #<Hash:0x007fdd20381c10>
/var/cache/chef/cookbooks/chef-splunk/recipes/setup_auth.rb:23:in `from_file'

I need to update the vault after the node has been registered (which means after the crash) in order for that part to succeed.

Usage of chef-vault

This is the first community cookbook I've seen that uses ChefVault. Is this going to be a common theme moving forward? I think it would be great if that were the case, as it's sometimes difficult to determine the "best" way to manage keys in any given situation.

windows support

Could we add windows support for this cookbook?

Upgrade doesnt restart splunk

After splunk upgrade, it doesn't restart splunk
Looks like the splunk service name in "recipes/upgrade.rb" is different from the one in "recipes/service.rb". It would be a good idea to keep them same to be consistent.

"recipes/upgrade.rb"

service 'splunk_stop' do
  service_name 'splunk'
  supports :status => true
  provider Chef::Provider::Service::Init
  action :stop
end

"recipes/service.rb"

service 'splunk' do
  supports :status => true, :restart => true
  provider Chef::Provider::Service::Init
  action :start
end

Wanted: Ability to configure splunkforwarding to non-chef managed server

Currently the 'client' Recipe searches for chef-managed servers to which to forward. Instead I'd like to forward to Splunk Cloud servers, which would probably be defined by a node attrib, or data bag.

client.rb recipe forces auth recipe, but why?

The client.rb does not needed to run successfully on a Splunk system that does not require any auth to push logs, this is an unnecessary burden on such systems.

inputs.conf is too restrictive

The inputs.conf file needs to be able to handle more than just tcp:// as a source, file monitoring for example must also be an option.

I therefore propose a breaking change that will change the inputs.conf template to no longer have the hard-coded tcp:// source and instead have a fully attribute driven input selector, something like this:

default['splunk']['inputs_conf']['inputs'] = [ { :inputname => 'monitor:///var/log/messages', :config => { :sourcetype => 'syslog', :disabled => 'false', :followTail => '0' } }, { :inputname => 'tcp://:123123', :config => { :sourcetype => 'syslog' } } ]

NOTE: The above is only an illustration of options, very unlikely anyone would need both inputs in a inputs.conf file.

Option to install splunkforwarder via system pkg manager (ie yum repo) not download URL

I have a use case where splunkforwarder RPM is already installed via company wide managed yum repo, such that the installed version is newer than what it is set in attributes.

It'd be nice if cookbook had option for a "no frills" package install which just relies on the system pkg manager instead of installing from cached remote file from the hardcoded URL in attributes

Versions in URLs not consistent in attributes/default.rb

Cookbook version

1.6.0 and current master in git as of 5/11/2017

Chef-client version

N/A

Platform Details

N/A

Problem

I was browsing the source and happened to notice some URLs are pointing to 6.3.3 and some are pointing to 6.5.1

From attributes/default.rb:

case node['platform_family']
when 'rhel', 'fedora'
  if node['kernel']['machine'] == 'x86_64'
    default['splunk']['forwarder']['url'] = 'https://download.splunk.com/products/universalforwarder/releases/6.5.1/linux/splunkforwarder-6.5.1-f74036626f0c-linux-2.6-x86_64.rpm'
    default['splunk']['server']['url'] = 'https://download.splunk.com/products/splunk/releases/6.5.1/linux/splunk-6.5.1-f74036626f0c-linux-2.6-x86_64.rpm'
  else
    default['splunk']['forwarder']['url'] = 'https://download.splunk.com/products/universalforwarder/releases/6.5.1/linux/splunkforwarder-6.5.1-f74036626f0c.i386.rpm'
    default['splunk']['server']['url'] = 'http://download.splunk.com/products/splunk/releases/6.3.3/linux/splunk-6.3.3-f44afce176d0.i386.rpm'
  end
when 'debian'
  if node['kernel']['machine'] == 'x86_64'
    default['splunk']['forwarder']['url'] = 'https://download.splunk.com/products/universalforwarder/releases/6.5.1/linux/splunkforwarder-6.5.1-f74036626f0c-linux-2.6-amd64.deb'
    default['splunk']['server']['url'] = 'https://download.splunk.com/products/splunk/releases/6.5.1/linux/splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb'
  else
    default['splunk']['forwarder']['url'] = 'https://download.splunk.com/products/universalforwarder/releases/6.5.1/linux/splunkforwarder-6.5.1-f74036626f0c-linux-2.6-intel.deb'
    default['splunk']['server']['url'] = 'http://download.splunk.com/products/splunk/releases/6.3.3/linux/splunk-6.3.3-f44afce176d0-linux-2.6-intel.deb'
  end
when 'omnios'
  default['splunk']['forwarder']['url'] = 'https://download.splunk.com/products/universalforwarder/releases/6.5.1/solaris/splunkforwarder-6.5.1-f74036626f0c-solaris-10-intel.pkg.Z'
  default['splunk']['server']['url'] = 'https://download.splunk.com/products/splunk/releases/6.5.1/solaris/splunk-6.5.1-f74036626f0c-solaris-10-intel.pkg.Z'
end

Help with splunkforwarder

It seems there is something this cookbook is keying off of to believe that splunk forwarder is installed. What is that?

Adding monitors and indexes via resources

Hey all,

I was looking through the source here and I can't see a generic way to add indexes and monitors via the standard Chefified resources. Does this exist in the cookbook today? If so where? Currently we just have shell resources executing the commands by hand but would rather have a more inline, idempotent way of doing this.

CI runs fail due to gem loading error.

Recipe Compile Error in /tmp/d20150514-26297-1d4v8fl/cookbooks/chef-splunk/recipes/setup_ssl.rb

LoadError

cannot load such file -- chef-vault

Cookbook Trace:

/tmp/d20150514-26297-1d4v8fl/cookbooks/chef-vault/recipes/default.rb:28:in require' /tmp/d20150514-26297-1d4v8fl/cookbooks/chef-vault/recipes/default.rb:28:infrom_file'
/tmp/d20150514-26297-1d4v8fl/cookbooks/chef-splunk/recipes/setup_ssl.rb:26:in `from_file'

Relevant File Content:

/tmp/d20150514-26297-1d4v8fl/cookbooks/chef-vault/recipes/default.rb:

Chef Splunk Config On Azure Marketplace Image Fails

Cookbook version

1.7.3

Chef-client version

13.0.118

Platform Details

Ubuntu 14.04 - Splunk Azure Marketplace Image

Scenario:

Configuration fails because it's can't read /opt/splunk/etc/splunk-launch.conf

Steps to Reproduce:

Spin up a VM based off of the Slunk Azure marketplace image and run chef-client to configure Splunk

Expected Result:

Chef should complete successfully and start

Actual Result:

The process fails when attempting to start the Splunk service, stating:

ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment

This is because it cannot access /opt/splunk/etc/splunk-launch.conf as it is owned by root instead of splunk.

systemd service permissions

My logs are full of following messages:

Jun 28 14:51:59 servername systemd: Configuration file /etc/systemd/system/splunk.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Jun 28 14:51:59 servername systemd: Configuration file /etc/systemd/system/splunk.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

This is due to the file /etc/systemd/system/splunk.service having the execute bit set for the owner and not read to world. Can this be corrected in the following code? Instead of mode 700, mode 644?

 template '/etc/systemd/system/splunk.service' do
    source 'splunk-systemd.erb'
    mode '700'
    variables(
      splunkdir: splunk_dir,
      runasroot: node['splunk']['server']['runasroot']
    )
  end

Cloning resource

Cookbook version

chef-splunk 1.7.0

Chef-client version

chef-client --version
Chef: 12.20.3

Platform Details

CentOS Linux release 7.3.1611 (Core)

Scenario:

chef-client report:

Cloning resource attributes for service[splunk] from prior resource
Previous service[splunk]: /var/chef/cache/cookbooks/chef-splunk/recipes/client.rb:46:in rescue in from_file' Current service[splunk]: /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb:88:in from_file' at 1 location:
- /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb:88:in `from_file'
See https://docs.chef.io/deprecations_resource_cloning.html for further details.

splunk user and chef-vault

Hi,

I downloaded cookbook chef-splunk from community and was trying to use it but ran into this issue.

Run splunkforwarder as "splunk" user. As of now, execute block in "service.rb" doesn't support running as splunk user.
recipes/service.rb

CURRENT:
if node['splunk']['accept_license']
execute "#{splunk_cmd} enable boot-start --accept-license --answer-yes" do
not_if { ::File.exists?('/etc/init.d/splunk') }
end
end

TO BE DONE:

if node['splunk']['accept_license']
execute "#{splunk_cmd} enable boot-start --accept-license --answer-yes -user #{node['splunk']['user']['username']}" do
not_if { ::File.exists?('/etc/init.d/splunk') }
end
end

With this,we would also need to fix the permissions on splunk_home "/opt/splunkforwarder" in recipes/client.rb
CURRENT:
directory "#{splunk_dir}/etc/system/local" do
recursive true
owner node['splunk']['user']['username']
group node['splunk']['user']['username']
end

TO BE DONE:
execute "chown -R #{node['splunk']['user']['home']" do
end

Trying to access internet to install "chef-vault" in "recipes/client.rb"

I am trying to write a wrapper around this community cookbook and the wrapper fails to complete since in "recipes/client.rb" it tries to access internet to install "chef-vault".
Is it possible to override this in wrapper somehow to exclude this recipe run since machines don’t have internet access?
Or is it possible to introduce an attribute like internet_access or something so this recipe runs only when internet access is available?

Splunk Version 6.5.1

Support Splunk version 6.5.1.

Cookbook version

1.6.0

Must stop splunk before running chef

For some reason I cannot get chef to successfully run without first stopping splunk.
If splunk is running it fails on the delayed restart with port already in use by splunk.

This is confusing because the init script appears to be working fine outside of chef, I can start stop and restart the service all day without issue, but after running chef the init script no longer works properly and I must killall splunkd.

---- Begin output of /etc/init.d/splunk start ----
...
STDOUT: Starting Splunk...

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking mgmt port [8089]: Would you like to change ports? [y/n]:
Exiting due to --no-prompt.
STDERR: already bound
ERROR: The mgmt port [8089] is already bound.  Splunk needs to use this port.
---- End output of /etc/init.d/splunk start ----
Ran /etc/init.d/splunk start returned 1
[2015-06-15T17:11:55-06:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[root@bld-paas-015 chef]# lsof -i | grep 8089
splunkd   17317    root    4u  IPv4 50460601      0t0  TCP *:8089 (LISTEN)
[root@bld-paas-015 chef]# service splunk stop
Stopping Splunk...
splunkd is not running.     
[root@bld-paas-015 chef]# ps aux | grep splunk
root     17317 13.5  0.6 221040 97500 ?        Sl   17:11   0:14 splunkd -p 8089 start
root     17318  0.0  0.0  52808  7676 ?        Ss   17:11   0:00 [splunkd pid=47] splunkd -p 8089 start [process-runner]
root     19292  0.0  0.0 103308   816 pts/0    S+   17:12   0:00 grep splunk
[root@bld-paas-015 chef]# killall splunk
splunk: no process killed
[root@bld-paas-015 chef]# killall splunkd
[root@bld-paas-015 chef]# service splunk start
Starting Splunk...

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Declared role=universal_forwarder.
Done
                                                           [  OK  ]
[root@bld-paas-015 chef]# service splunk stop
Stopping Splunk...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
                                                           [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.
[root@bld-paas-015 chef]# ps aux | grep splunk
root     19511  0.0  0.0 103304   816 pts/0    R+   17:13   0:00 grep splunk
[root@bld-paas-015 chef]# service splunk start
Starting Splunk...

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Declared role=universal_forwarder.
Done
                                                           [  OK  ]
[root@bld-paas-015 chef]# ps aux | grep splunk
root     19590 21.2  0.5 199224 92044 ?        Sl   17:16   0:01 splunkd -p 8089 start
root     19591  0.0  0.0  49428  5764 ?        Ss   17:16   0:00 [splunkd pid=19590] splunkd -p 8089 start [process-runner]
root     19626  0.0  0.0 103304   816 pts/0    S+   17:16   0:00 grep splunk
[root@bld-paas-015 chef]# service splunk restart
Restarting Splunk...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
                                                           [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.

Splunk> The IT Search Engine.

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Declared role=universal_forwarder.
servDone
                                                           [  OK  ]
[root@bld-paas-015 chef]# service splunk start
Starting Splunk...
The splunk daemon (splunkd) is already running.            [FAILED]
[root@bld-paas-015 chef]# echo $?
0

Non chef managed Splunk Server(Indexer)

More of a question.
splunk_servers is populated through search

splunk_servers = search( # ~FC003
  :node,
  "splunk_is_server:true AND chef_environment:#{node.chef_environment}"
).sort! do
  |a, b| a.name <=> b.name
end

What happens when there is no such node, when the indexer is not part of chef infra?

splunk user creation

The splunk home directory is set correctly during a new installation with ['splunk']['is_server'] = true.

Once installed If you delete the splunk user from /etc/passwd and re-run chef-client it will re-create the user in /etc/passwd file again, but with incorrect home directory of /home/splunk instead of /opt/splunk.

node['splunk']['tcpout_server_config_map'] doesn't exist

Hi all, just an FYI and probably more of an issue with the readme, but it describes an attribute "node['splunk']['tcpout_server_config_map']" used to set up SSL. That attribute isn't referenced anywhere in the cookbook. I was able to just add the relevant attributes "sslCertPath", etc. to my "override['splunk']['outputs_conf']" attribute array. I'm guessing it was removed without updating the readme. Thanks for reading!

Configure Heavy Forwarder attributes

Cookbook version

1.7.3

Chef-client version

14.8.12

Platform Details

CentOS Linux release 7.5.1804 (Core)

Scenario:

How would I use this cookbook to only enable the Heavy Forwarder role ?
(I don't want my node to behave as a Splunk Indexer, etc -- only a Heavy Forwarder.)

Steps to Reproduce:

N/A

Expected Result:

N/A

Actual Result:

N/A

Thanks so much for your help !
-David

Splunk version v7.1.1+

Cookbook version

1.7.3

Chef-client version

14.4.56

Platform Details

CentOS 7.5

Scenario:

Install SplunkForwarder v7, setup a deploymentclient.conf and run the splunkforwarder.

Steps to Reproduce:

Set the following attributes in a wrapper cookbook and include_recipe "chef-splunk":

default['splunk']['forwarder']['url'] = "https://download.splunk.com/products/universalforwarder/releases/7.1.1/linux/splunkforwarder-7.1.1-8f0ead9ec3db-linux-2.6-x86_64.rpm"
default['splunk']['accept_license'] = true
default['splunk']['setup_auth'] = false

Expected Result:

Install the SplunkForwarder and not break the Chef run.

Actual Result:

[2019-03-11T12:28:33+00:00] FATAL: Chef::Exceptions::MultipleFailures: Multiple failures occurred:
       * Mixlib::ShellOut::ShellCommandFailed occurred in chef run: execute[/opt/splunkforwarder/bin/splunk enable boot-start --accept-license --answer-yes] (chef-splunk::service line 53) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exi
t with [0], but received '1'
       ---- Begin output of /opt/splunkforwarder/bin/splunk enable boot-start --accept-license --answer-yes ----
       STDOUT: Password must contain at least:
          * 8 total printable ASCII character(s).
       
       This appears to be your first time running this version of Splunk.
       
       An Admin password must be set before installation proceeds.
       STDERR: tcgetattr: Inappropriate ioctl for device
       WARNING: error changing terminal modes - password will echo!
       Please enter a new password: 
       First-time-run has not finished.  Ignore this error when previewing migration - exiting.
       ---- End output of /opt/splunkforwarder/bin/splunk enable boot-start --accept-license --answer-yes ----
       Ran /opt/splunkforwarder/bin/splunk enable boot-start --accept-license --answer-yes returned 1
       * Mixlib::ShellOut::ShellCommandFailed occurred in delayed notification: service[splunk] (chef-splunk::service line 88) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '5'
       ---- Begin output of /bin/systemctl --system restart splunk ----
       STDOUT: 
       STDERR: Failed to restart splunk.service: Unit not found.
       ---- End output of /bin/systemctl --system restart splunk ----
       Ran /bin/systemctl --system restart splunk returned 5

Nothing happening when using latest version with Splunk 6.5.1 paths

Cookbook version

739855e

Chef-client version

Chef: 12.14.89

Platform Details

Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-71-generic x86_64)

Scenario:

Install the latest (6.5.1) version of Splunk on a machine having 6.3.3 installed (also with chef-splunk cookbook).

Steps to Reproduce:

Install latest version of this cookbook
Run chef-client on the machine in question

Expected Result:

Splunk 6.5.1 to be installed.

Actual Result:

It doesn't install 6.5.1. However, it does download the .deb file, but doesn't seem to proceed with the actual installation.
Have tried booting the machine.
Re-running chef-client many times (also tried removing the .deb file to try trigger an install).

From chef client log

Recipe: chef-splunk::install_server
  * remote_file[/var/chef/cache/splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb] action create_if_missing
    - create new file /var/chef/cache/splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb
    - update content in file /var/chef/cache/splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb from none to 34bf4d
    (file sizes exceed 10000000 bytes, diff output suppressed)
  * dpkg_package[splunk] action install (up to date)
Recipe: chef-splunk::service
  * directory[/opt/splunk] action create (up to date)
  * directory[/opt/splunk/var] action create (up to date)
  * directory[/opt/splunk/var/log] action create (up to date)
  * directory[/opt/splunk/var/log/splunk] action create (up to date)
  * execute[/opt/splunk/bin/splunk enable boot-start --accept-license --answer-yes] action run (skipped due to only_if)
  * ruby_block[splunk_fix_file_ownership] action run (skipped due to not_if)
  * template[/etc/init.d/splunk] action create (up to date)
  * service[splunk] action start (up to date)

Still 6.3.3 installed.

~$ dpkg --status splunk
Package: splunk
Status: install ok installed
Maintainer: Splunk Inc. <[email protected]>
Architecture: amd64
Version: 6.3.3
Description: Splunk The platform for machine data.

Downloaded file seems to be 6.5.1

~$ dpkg-deb -f /var/chef/cache/splunk-6.5.1-f74036626f0c-linux-2.6-amd64.deb
Package: splunk
Version: 6.5.1
Maintainer: Splunk Inc. <[email protected]>
Architecture: amd64
Description: Splunk The platform for machine data.

Slunk Service Restart Times Out

Cookbook version

chef-splunk (1.7.1)

Chef-client version

Starting Chef Client, version 12.13.37

Platform Details

ubuntu 16.04

Scenario:

Provision splunk server

Steps to Reproduce:

My environment is pretty locked down. When I provision a splunk instance it gets as far as the service restart and fails since splunkd tries to the internet when starting the service but it can't so the operation times out. I can connect to the instance and restart the service manually and it will eventually restart but it takes about 5 mins. Is it possible to add an attribute to set a proxy server in the cookbook or a timeout period for the service restart section.

service[splunk] action start
================================================================================
Error executing action start on resource 'service[splunk]'
================================================================================

                               Mixlib::ShellOut::ShellCommandFailed
                               ------------------------------------
                               Expected process to exit with [0], but received '1'
                               ---- Begin output of /bin/systemctl --system start splunk ----
                               STDOUT: 
                               STDERR: Job for splunk.service failed because a timeout was exceeded. See "systemctl status splunk.service" and "journalctl -xe" for details.
                               ---- End output of /bin/systemctl --system start splunk ----
                               Ran /bin/systemctl --system start splunk returned 1
                               
                               Resource Declaration:
                               ---------------------
                               # In /var/chef/cache/cookbooks/chef-splunk/recipes/service.rb
                               
                                88:   service 'splunk' do
                                89:     supports status: true, restart: true
                                90:     provider Chef::Provider::Service::Systemd
                                91:     action [:enable, :start]
                                92:   end
                                93: else

Expected Result:

Service expected to start

Actual Result:

starting the service fails

Test kitchen is broken after recent merge

Looks like kitchen tests are broken after 4ff8bcd due to a missing cookbook dependency for the new debian versions, and missing platform support for fedora. PR incoming.

chef-splunk depends on chef-vault >= 1.0.4, but chef-vault is only at 1.0.3?

Folks,

I just noticed that the metadata.rb file in this cookbook appears to depend on chef-vault >= 1.0.4, but checking https://github.com/opscode-cookbooks/chef-vault/blob/master/metadata.rb I see that the current version of chef-vault is apparently only version 1.0.3.

Am I missing something here? Or is this cookbook under active development with a version of the chef-vault cookbook that has not yet been released?

Just curious. Thanks!

sensitive attributed needed for execute[change-admin-user-password-from-default] resource

Cookbook version

1.6.0 & 1.7.0

Chef-client version

12.14.89

Platform Details

redhat 6 & 7

Scenario:

install splunk client

Steps to Reproduce:

Run the chef-splunk::client recipe with node['splunk']['setup_auth'] = true
check the chef client log file

Expected Result:

sensitive password of the splunk admin account should not be displayed

Actual Result:

Recipe: chef-splunk::setup_auth
  * execute[change-admin-user-password-from-default] action run
    - execute /opt/splunkforwarder/bin/splunk edit user admin -password 'REDACTED' -role admin -auth admin:changeme

This execute resource should have the sensitive true property set to hide the admin password.
https://github.com/chef-cookbooks/chef-splunk/blob/master/recipes/setup_auth.rb#L24-L27

Unable to run as Splunk user on system with restrictive umask

Cookbook version

version '1.7.2'

Chef-client version

12 and 13

Platform Details

Tested on CentOS with umask 027

Scenario:

Deploy Splunk as no root user.

Steps to Reproduce:

Run server-cluster-master suite on OS with umask set to 027

Expected Result:

Splunk should be able to start in a secure environment

Actual Result:

Splunk is unable to start as the web.conf file is owned by root:root and has permissions of 640. Thus the splunk user is unable to read the web.conf file and start the service.

chefspecs testing for omnios fail (platform not supported)

Cookbook version

1.7.3

Chef-client version

chef 13.12.14

Scenario:

Running chefspec results in a failure for an unsupported platform: omnios. This platform is not listed in the cookbook's metadata.rb as a supported platform.

Steps to Reproduce:

chef exec bundle install
rspec spec/recipes/install_forwarder_spec.rb

Expected Result:

ChefSpec passes - testing of only supported platforms per metadata.rb

Actual Result:

Chefspec fails with fauxhai error:

     Fauxhai::Exception::InvalidPlatform:
       Could not find platform 'omnios/151018' on the local disk and an HTTP error was encountered when fetching from Github. A list of available platforms is available at https://github.com/chefspec/fauxhai/blob/master/PLATFORMS.md

metadata.rb only lists debian, ubuntu, redhat, and centos as supported. This failure occurs in the install_forwarder_spec.rb, install_server_spec.rb, and user_spec.rb examples.

chef-splunk$ cd spec/recipes/
recipes$ grep omnios *
install_forwarder_spec.rb:  context 'omnios family' do
install_forwarder_spec.rb:        platform: 'omnios',
install_server_spec.rb:  context 'omnios family' do
install_server_spec.rb:        platform: 'omnios',
user_spec.rb:        platform: 'omnios',

Rewrite splunk_app resource in style of Chef 12.5.0

http://docs.chef.io/release/12-5/custom_resources.html

splunk_servers is not comma separated

In templates outputs.conf.erb:
server=<% @splunk_servers.map do |s| -%><%= s['ipaddress'] %>:<%= s['splunk']['receiver_port'] %> <% end.join(', ') -%>

makes me think that the list of servers should be comma separated.
Instead, as a result, I get no commas in between the server:port values, e.g:
server=10.214.127.38:9997 10.214.127.28:9997 10.214.127.30:9997

Running: Chef: 12.4.1

Extraneous dotfiles in test fixtures

Seem to have been introduced in 0ec8a6d - .!.png, .!.spl in the test fixtures directory.

Not sure if anyone wants to rewrite the commit in question or just remove the offending files and add the right pattern to .gitignore...

Support for installing splunk apps from local file

Cookbook version

1.7.3

Chef-client version

14.5.33

Platform Details

CentOS 7.5 (VirtualBox via Vagrant)

Scenario:

Feature Request: Ability to install Splunk Apps via local file instead of remote file

Steps to Reproduce:

Assume that we download the app package (.tar.gz) onto the local system through a method aside from remote_file (ex. download from an S3 bucket or copied onto a system through an out of band method), I'd like to point to a local path (ex. /tmp/splunk_special_app.tar.gz) and install directly.

Expected Result:

Using the remote_file method fails, even if I specify file://tmp/splunk_special_app.tar.gz. I would expect the splunk_app resource to look something like this:

splunk_app 'sanitycheck' do
local_file '/tmp/sanitycheck.tar.gz'
splunk_auth 'admin:notarealpassword'
action :install
end

Splunk Version 6.4.2

Splunk version 6.4.2 is now available. Is it worth my making a PR to update the URLs in chef-splunk/attributes/default.rb?

Cookbook version

1.6.0

Remove dependency on chef-vault

I understand why chef-vault has been used here.
But chef-vault is just one of many solutions for the problem to solve.

The splunk cookbook is a typical application cookbook. It should do it's job and stop right there.
Each user should then follow the wrapper cookbook pattern to implement organization specific decisions. For example weather or not to use chef-vault...

It would be great if this cookbook would remove it's dependency to chef-vault.

The sensitive attributes should be stored in node attributes.
A wrapper cookbook would then use node.run_state[:my_splunk_secret’] = ‘…’ to set these sensitive attributes only for the runtime.

kitchen converge fails when using docker driver instead of vagrant

Cookbook version

latest chef with cookbook version 1.7.2

Platform Details

docker

Scenario:

I am trying to run the splunk server in docker container and the service fails to start saying unusable filesystem.

Steps to Reproduce:

I am performing to setup the kitchen converge on any of the fixture cookbook using chef_zero/chef_solo as a provisioner
in .kitchen.yml
change the driver from vagrant to docker , may be use chef_zero / chef_solo to spin up the install on docker container.

Expected Result:

Expect to have splunk server running under root and ready to get the data from client

Actual Result:

splunk service not geting started. ================================================================================
Error executing action start on resource 'service[splunk]'
================================================================================

       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '10'
       ---- Begin output of /etc/init.d/splunk start ----
       STDOUT: Starting Splunk...
       
       Splunk> 4TW
       
       Checking prerequisites...
       	Checking http port [8000]: open
       	Checking mgmt port [8089]: open
       	Checking appserver port [127.0.0.1:8065]: open
       	Checking kvstore port [8191]: open
       	Checking configuration...  Done.
       New certs have been generated in '/opt/splunk/etc/auth'.
       	Checking critical directories...	Done
       	Checking indexes...
       		Creating: /opt/splunk/var/lib/splunk
       		Creating: /opt/splunk/var/run/splunk
       		Creating: /opt/splunk/var/run/splunk/appserver/i18n
       		Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
       		Creating: /opt/splunk/var/run/splunk/upload
       		Creating: /opt/splunk/var/spool/splunk
       		Creating: /opt/splunk/var/spool/dirmoncache
       		Creating: /opt/splunk/var/lib/splunk/authDb
       		Creating: /opt/splunk/var/lib/splunk/hashDb
       STDERR: homePath='/opt/splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
       Validating databases (splunkd validatedb) failed with code '1'.  If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

sous-chefs / chef-splunk Goto Github PK

chef-splunk's Introduction

chef-splunk Cookbook

Maintainers

Requirements

License Acceptance

Platforms

Debug Mode

Cookbooks

Attributes

Helper methods

splunk_cmd

Custom Resources

splunk_app

Actions

Properties

TODO: document the rest of the splunk_app properties

Examples

splunk_index

Actions

Properties

Example

splunk_monitor

Actions

Properties

Example

splunk_installer

Actions

Examples

Recipes

client

default

disabled

install_forwarder

install_server

server

service

setup_auth

setup_clustering

setup_shclustering

upgrade

user

Usage

Data Bag Items

Splunk Secrets & Admin User Authentication

Chef-Vault encrypted data bag fallback

Web UI SSL

Contributors

Backers

Sponsors

chef-splunk's People

Contributors

Stargazers

Watchers

Forkers

chef-splunk's Issues

Cookbook version

Chef-client version

Platform Details

Scenario:

Steps to Reproduce:

Expected Result:

Actual Result:

To Reproduce

Expected Results

Actual Results

Work Around

Log

Cookbook version

Chef-client version

Platform Details

Scenario:

Steps to Reproduce:

Cookbook version

Chef-client version

Platform Details

Problem

Recipe Compile Error in /tmp/d20150514-26297-1d4v8fl/cookbooks/chef-splunk/recipes/setup_ssl.rb

LoadError

Cookbook Trace: