https://github.com/bernardofosu/intall_splunk_bash_script_updated
https://github.com/bernardofosu/intall_splunk_bash_script_updated
Last synced: 5 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/bernardofosu/intall_splunk_bash_script_updated
- Owner: bernardofosu
- Created: 2025-02-27T00:03:50.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-03-04T03:02:15.000Z (10 months ago)
- Last Synced: 2025-03-12T03:35:25.763Z (10 months ago)
- Language: Shell
- Size: 13.7 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: history_timestamp.md
Awesome Lists containing this project
README
# π Install Splunk Using a Bash Script
## π Key Notes:
β
This script installs Splunk 9.4.0 for Linux.
β
Designed for Ubuntu, but can be modified for other distros.
β
If you're using Amazon Linux, replace apt with yum.
β
For RedHat, replace apt with dnf.
## π Installation Instructions:
**1οΈβ£** Open the install_splunk.sh script file using any text editor.
**2οΈβ£** Copy all the script content.
**3οΈβ£** On your server, use a text editor (nano or vi) and paste the script.
**4οΈβ£** Save the file and exit the editor.
## π Grant Execution Permissions:
After creating the script, run the following command to make it executable:
```sh
sudo chmod +x install_splunk.sh
```
### π Run the installation script
```sh
sudo ./install_splunk.sh
```
##### π Note:
_**./** means you are running the script from the current directory. If you are not in the current directory, use the full path to the script instead_
_π Using sudo ensures proper permissions for installation!_
_π€ If you're not using the root user, you'll need sudo to perform administrative actions during installation_
## π Whatβs Inside the Installation Script?
### 1οΈβ£ Shebang & Description
```bash
#!/bin/bash
```
This line tells the system that the script should be run using the Bash shell.
### 2οΈβ£ Updating OS & Installing Required Packages π οΈ
```bash
apt-get update -y
apt-get install -y \
bc \
net-tools \
ncat \
socat \
nethogs \
htop \
vim \
sysstat \
nano \
git \
cowsay \
chrony \
rsync
```
- apt-get update -y: Updates the package list to get the latest versions. π
- apt-get install -y ...: Installs useful tools like:
bc: Calculator π
- net-tools: Network utilities π
- ncat, socat: Networking tools π
- htop: System monitoring π
- vim, nano: Text editors βοΈ
- git: Version control π
- cowsay: Fun ASCII messages π
- chrony: Time synchronization β³
- rsync: File syncing tool π
### 3οΈβ£ Setting Up Log Cleanup in Cron β°
```bash
crontab -l > mycron
echo "0 */1 * * * /usr/bin/find /opt/syslog/ -type d -ctime +2 -exec rm -rf {} \;" >> mycron
```
- crontab mycron
- rm mycron
-
Creates a cron job that deletes logs older than 2 days, every hour. ππ§Ή
### 4οΈβ£ Configure Bash History to Show Timestamps β³
```bash
echo "# Add date/time information to bash history
export HISTTIMEFORMAT=\"%F %T \"" | sudo tee -a /etc/profile.d/sdaedu.sh && source /etc/profile.d/sdaedu.sh
```
#### Adds timestamps
π to Bash history so commands are logged with date/time.
#### Explanation:
- HISTTIMEFORMAT=\"%F %T \":
- %F expands to YYYY-MM-DD format.
- %T expands to HH:MM:SS (24-hour time format).
[Read More on History and TimeStamp](history_timestamp.md)
### 5οΈβ£ User Session Timeout (Security) π
```bash
cat >> /etc/bashrc << 'EOF'
# Added TMOUT as read-only for CIS compliance.
TMOUT=300
readonly TMOUT
export TMOUT
EOF
```
This configuration enforces an automatic logout after 5 minutes of inactivity, which helps improve system security by preventing unauthorized access to idle terminals. The setting is immutable, ensuring users cannot override it.
- Sets a session timeout of 300 seconds (5 minutes) β³
- Enforces security by automatically logging out inactive users.
### 6οΈβ£ Change Default Shell to Bash π
```bash
sed -i '8d' /etc/default/useradd
sed -i '8iSHELL=/bin/bash' /etc/default/useradd \
```
Modifies the default shell to Bash (/bin/bash) for new users.
Bash is More Powerful: Bash (Bourne Again Shell) is more feature-rich than /bin/sh. It supports:
- Command history.
- Tab-completion.
- Scripting enhancements.
### 7οΈβ£ Create Users & Configure Permissions π₯
```bash
useradd -m splunk
useradd -m atlgsdachedu
usermod -a -G splunk atlgsdachedu
chage -M -1 atlgsdachedu
echo "splunk:splunk123" | sudo chpasswd
echo "atlgsdachedu:splunk123" | sudo chpasswd
echo "atlgsdachedu ALL=(ALL) NOPASSWD:ALL" | tee --append /etc/sudoers.d/atlgsdachedu
echo "splunk ALL=(ALL) NOPASSWD:ALL" | sudo tee --append /etc/sudoers.d/splunk
```
Creates users:
- splunk: For running Splunk.
- atlgsdachedu: Additional user.
- Create Password for users
-Gives atlgsdachedu sudo access π
### 8οΈβ£ Restore Default Shell to /bin/sh
```bash
sed -i '8d' /etc/default/useradd
sed -i '8iSHELL=/bin/sh' /etc/default/useradd \
```
#### Reverts the default shell to /bin/sh.
splunk user will still have Bash (/bin/bash) as its default shell unless explicitly changed.
##### Why?
- Changing the default shell in /etc/default/useradd only affects new users created after the change.
- Since splunk was created before the default was changed back to /bin/sh, it will retain whatever shell was assigned during its creation (/bin/bash in this case).
### 9οΈβ£ Set Password Complexity Rules π
```sh
Edit
echo "minlen = 8" | tee --append /etc/security/pwquality.conf
```
Enforces a minimum password length of 12 characters for security.
### π System Resource Limits Optimization π
```bash
sed -i 's/#DefaultLimitNOFILE=/# atlgsdachedu modified value below\nDefaultLimitNOFILE=65000/' /etc/systemd/system.conf
sed -i 's/#DefaultLimitNPROC=/# atlgsdachedu modified value below\nDefaultLimitNPROC=16000/' /etc/systemd/system.conf
sed -i 's/#DefaultTasksMax=80%/# atlgsdachedu modified value below\nDefaultTasksMax=8192/' /etc/systemd/system.conf
```
Here are the updated sed commands without the comments:
```sh
sed -i 's/#DefaultLimitNOFILE=/DefaultLimitNOFILE=64000/' /etc/systemd/system.conf
sed -i 's/#DefaultLimitNPROC=/DefaultLimitNPROC=16000/' /etc/systemd/system.conf
sed -i 's/#DefaultTasksMax=80%/DefaultTasksMax=8192/' /etc/systemd/system.conf
```
Optimizes system performance by adjusting limits:
NOFILE=64000 (Max open files) π
NPROC=16000 (Max processes per user) π
TasksMax=8192 (Max tasks per service)
Command to Check Changes:
```sh
grep -E 'DefaultLimitNOFILE|DefaultLimitNPROC|DefaultTasksMax' /etc/systemd/system.conf
```
The **-E** flag in grep stands for "extended regular expressions" (ERE). It allows the use of more complex pattern-matching syntax compared to basic regular expressions.
Explanation:
- grep -E: Enables extended regular expressions, allowing the use of | for "or" conditions without needing to escape it (i.e., \|).
- 'DefaultLimitNOFILE|DefaultLimitNPROC|DefaultTasksMax': This pattern searches for any line in the file that contains DefaultLimitNOFILE, DefaultLimitNPROC, or DefaultTasksMax.
- /etc/systemd/system.conf: Specifies the file to search.
Purpose:
- The command will print any lines from /etc/systemd/system.conf that contain one or more of the specified strings. This is useful for verifying the updated ulimit values in the configuration file.
### 1οΈβ£1οΈβ£ Disable Transparent Huge Pages (THP) π
```bash
echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled
echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag
grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) transparent_hugepage=never"
```
Improves performance by disabling THP (reduces memory fragmentation).
### Why Use These Commands?
- Performance Improvements: Disabling THP can improve performance for some applications, especially databases like MongoDB, Splunk, and Redis, which are sensitive to the overhead THP can introduce.
- System-Wide Consistency: By setting the option in GRUB, the configuration persists across reboots, ensuring the system behavior remains consistent.
### 1οΈβ£2οΈβ£ Setup Splunk User Directory π
```bash
mkdir /opt/splunk
chown -R splunk:splunk /opt/splunk
```
Creates /opt/splunk for Splunk installation.
### 1οΈβ£3οΈβ£ File Permissions π
```bash
chown splunk. /opt/splunk
setfacl -Rdm u:splunk:rX /var/log/
setfacl -Rm "u:splunk:r-X" /var/log/
```
**setfacl** is a Linux command used to manage Access Control Lists (ACLs), which provide fine-grained control over file and directory permissions beyond the traditional Unix file permission model. ACLs allow you to grant specific users or groups permissions on files and directories, without changing ownership or group settings.
Benefits of Using ACLs:
- Granular Control: You can set permissions for individual users or groups without changing the file owner or group.
- Inheritance: Default ACLs ensure consistent permissions for newly created files.
- Flexibility: ACLs complement traditional Unix permissions for more complex permission scenarios.
Sets permissions so the Splunk user can read logs.
### 1οΈβ£4οΈβ£ Customize Message of the Day (MOTD) π₯οΈ
```bash
mkdir /etc/motd.d
cat > /etc/motd.d/sdaedu << 'EOF'
ritaedu Splunk Build
EOF
```
Customizes login greeting with a message. π
MOTD (Message of the Day):
- Itβs a banner message displayed when users log in to the system via the command line.
- This command customizes the MOTD to display the message "ritaedu Splunk Build," which could be used to inform users about the Splunk setup or branding.
### 1οΈβ£5οΈβ£ Enable & Start Chrony Time Sync β°
```bash
systemctl enable chronyd
systemctl start chronyd
```
Why Use These Commands?
- Ensures the system clock stays accurate.
- Necessary for log files, Splunk data indexing, and other time-sensitive operations.
- Critical for distributed systems to maintain consistent timestamps.
### 1οΈβ£6οΈβ£ Download & Install Splunk π
#### Creating user-seed.conf:
user-seed.conf is a file defined by Splunk, and it is used to create an initial administrator account during the first-time startup of Splunk
##### How Splunk Uses user-seed.conf
One-Time Use:
- The credentials from user-seed.conf are only applied during the first startup.
- After that, the file is deleted by Splunk to prevent security risks.
No UI Prompt:
- This approach is often used in automated installations or deployments (e.g., scripted installations, Docker containers).
```bash
SPLUNK_HOME="/opt/splunk"
touch /tmp/user-seed.conf
cat > /tmp/user-seed.conf << 'EOF'
[user_info]
USERNAME = admin
PASSWORD = splunk123
EOF
sudo wget -O splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz "https://download.splunk.com/products/splunk/releases/9.4.0/linux/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz"
sudo tar -xzvf /tmp/splunk-9.4.0-6b4ebe426ca6-linux-amd64.tgz -C /opt
sleep 2
echo 'oh yeah we are almost there...HAPPY SPLUNKING WITH ATLGSDACH SPLUNK ENG.'
```
- The touch /tmp/user-seed.conf ensures the file exists (although unnecessary if cat is used).
- The cat > /tmp/user-seed.conf << 'EOF' ... EOF defines the admin username and password for initial setup. This file is used by Splunk for first-time authentication setup.
#### /opt/splunk already exists, extracting the Splunk tarball with sudo tar -xzvf -C /opt will overwrite existing files with the same names but will not delete any files or directories that are not in the tarball.
Here's how it works:
- Files with the same name: They will be replaced with the files from the tarball.
- New files: Files in the tarball that don't already exist in /opt/splunk will be added.
- Existing files not in the tarball: Any files in /opt/splunk that are not part of the Splunk tarball will remain unchanged.
What this means:
- If you are upgrading or reinstalling Splunk, it may preserve configurations (e.g., server.conf, inputs.conf, etc.) as long as they are not overwritten by the tarball.
- Backup recommended: Before running the extraction, it's usually best to create a backup (e.g., cp -r /opt/splunk /opt/splunk_backup) to avoid unintentional loss of custom files or configurations.
Downloads & installs Splunk 9.4.0 from the official site.
### 1οΈβ£7οΈβ£ Configure & Start Splunk π
```bash
mv /tmp/user-seed.conf $SPLUNK_HOME/etc/system/local/user-seed.conf
touch $SPLUNK_HOME/etc/.ui_login
sudo chown -Rf splunk:splunk $SPLUNK_HOME
$SPLUNK_HOME/bin/splunk enable boot-start -user splunk --accept-license --answer-yes --no-prompt
sleep 2
echo -e "[settings]\nstartwebserver = True\nenableSplunkWebSSL = True\nsslVersions = tls1.2\n" >> $SPLUNK_HOME/etc/system/local/web.conf
sudo chown -Rf splunk:splunk $SPLUNK_HOME
$SPLUNK_HOME/bin/splunk start
```
Moves config files and starts Splunk β
1οΈβ£8οΈβ£ Success Message π
```bash
cowsay -f tux "WoHoo..Welcome to ATLGSDACH EDU..You installed SPLUNK successfully"
echo "done"
```
Displays a fun success message with cowsay π
## π Simplifying Splunk Installation for the Architect Class
Since we are installing multiple Splunk instances for the architect class, I have designed a Bash script to streamline the process and speed up our work.
If you encounter any issues while using it, please let me know. I'm happy to help! π
#### π¬ **Share Your Views!**
Join the discussion on the repository to share feedback and suggestions for improvement.
#### π§ **Want to Contribute?**
You can **fork** the repository, modify the script, and send a **pull request** to enhance it! π
Thank you for your support! π