Friday, February 13, 2015

Deploying Hardened Splunk with Ansible

Just finished 2 blog post on the Splunk blog which covers how to get started with Ansible and deploy harden Splunk instances. Also dive I into how to deploy and manage multiple custom Splunk environment in AWS using Ansible.

To get started on how to use Splunk with Ansible (Part 1).
Also there is a github repo with the playbooks that are broken down into roles:

  • Common - copies keys over, install basic utils (screen,vim etc.), hardens server (by installing rkhunter,chkrootkit,clamav and cronjobs to run them)
  • Search Head - install a splunk search head, changes default password, hardens splunk web, among other things, runs as splunk user
  • Indexer - install a splunk indexer, copies over indexes, and certs/key of secure comms
  • Universal Forwarder - install a UF, deploy inputs.conf and outputs.conf

How to scale it on AWS with multiple Splunk instances, ultimately manage it as a service (Part 2). In part two the way we inventory Ansible changes from a static host file to a dynamic inventory fed out of AWS instances. Due to this it has its own github repo.