topic Puppetizing Splunk for SSL-enabled Light Forwarding in Security https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72413#M2381 <P>I've seen <A href="http://answers.splunk.com/questions/345/does-splunk-play-nice-with-puppet" rel="nofollow">http://answers.splunk.com/questions/345/does-splunk-play-nice-with-puppet</A> and there is a Puppet manifest in the answer but the manifest doesn't address some of the entries in it.</P> <P>The question is: What is the purpose of the files in $SPLUNK_HOME/etc/auth? Many of them are explained by <A href="http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl" rel="nofollow">http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl</A> but some are still not explained.</P> <P>On a new Splunk 4.1.5 installation that was turned into a light forwarder I have these files in $SPLUNK_HOME/etc/auth</P> <PRE><CODE>.: total 36 drwx--x--x 2 root root 4096 Oct 14 14:18 audit -r--r--r-- 1 splunk splunk 912 Sep 4 05:53 cacert.pem -r--r--r-- 1 splunk splunk 1875 Sep 4 05:53 ca.pem -rw------- 1 root root 17 Oct 14 14:30 ca.srl drwx--x--x 2 root root 4096 Oct 14 14:18 distServerKeys -rw------- 1 root root 951 Oct 14 14:30 privkeySecure.pem -rw------- 1 root root 595 Oct 14 14:30 req.pem -rw------- 1 root root 2689 Oct 14 14:30 server.pem -r-------- 1 root root 255 Oct 14 14:30 splunk.secret ./audit: total 8 -rw------- 1 root root 887 Oct 14 14:18 private.pem -rw------- 1 root root 272 Oct 14 14:18 public.pem ./distServerKeys: total 8 -rw------- 1 root root 887 Oct 14 14:18 private.pem -rw------- 1 root root 272 Oct 14 14:18 trusted.pem </CODE></PRE> <P>What is the function of each file listed and which of them can (and should) be omitted from a forwarder?</P> Tue, 19 Oct 2010 02:34:25 GMT lisa_1 2010-10-19T02:34:25Z Puppetizing Splunk for SSL-enabled Light Forwarding https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72413#M2381 <P>I've seen <A href="http://answers.splunk.com/questions/345/does-splunk-play-nice-with-puppet" rel="nofollow">http://answers.splunk.com/questions/345/does-splunk-play-nice-with-puppet</A> and there is a Puppet manifest in the answer but the manifest doesn't address some of the entries in it.</P> <P>The question is: What is the purpose of the files in $SPLUNK_HOME/etc/auth? Many of them are explained by <A href="http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl" rel="nofollow">http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl</A> but some are still not explained.</P> <P>On a new Splunk 4.1.5 installation that was turned into a light forwarder I have these files in $SPLUNK_HOME/etc/auth</P> <PRE><CODE>.: total 36 drwx--x--x 2 root root 4096 Oct 14 14:18 audit -r--r--r-- 1 splunk splunk 912 Sep 4 05:53 cacert.pem -r--r--r-- 1 splunk splunk 1875 Sep 4 05:53 ca.pem -rw------- 1 root root 17 Oct 14 14:30 ca.srl drwx--x--x 2 root root 4096 Oct 14 14:18 distServerKeys -rw------- 1 root root 951 Oct 14 14:30 privkeySecure.pem -rw------- 1 root root 595 Oct 14 14:30 req.pem -rw------- 1 root root 2689 Oct 14 14:30 server.pem -r-------- 1 root root 255 Oct 14 14:30 splunk.secret ./audit: total 8 -rw------- 1 root root 887 Oct 14 14:18 private.pem -rw------- 1 root root 272 Oct 14 14:18 public.pem ./distServerKeys: total 8 -rw------- 1 root root 887 Oct 14 14:18 private.pem -rw------- 1 root root 272 Oct 14 14:18 trusted.pem </CODE></PRE> <P>What is the function of each file listed and which of them can (and should) be omitted from a forwarder?</P> Tue, 19 Oct 2010 02:34:25 GMT https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72413#M2381 lisa_1 2010-10-19T02:34:25Z Re: Puppetizing Splunk for SSL-enabled Light Forwarding https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72414#M2382 <P>You should synchronize the whole auth directory for consistency. Those files are their for the ssl communication and password configuration. As the other Splunk Answers question and answer states, you should also sync the etc/system/local/server.conf and the etc/passwd file.</P> Tue, 19 Oct 2010 02:39:22 GMT https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72414#M2382 Simeon 2010-10-19T02:39:22Z Re: Puppetizing Splunk for SSL-enabled Light Forwarding https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72415#M2383 <P>I've come up with a Puppet class to do just this: <A href="https://github.com/TransGaming/puppet/tree/master/splunk" rel="nofollow">https://github.com/TransGaming/puppet/tree/master/splunk</A></P> Thu, 25 Nov 2010 22:53:04 GMT https://community.splunk.com/t5/Security/Puppetizing-Splunk-for-SSL-enabled-Light-Forwarding/m-p/72415#M2383 lisa_1 2010-11-25T22:53:04Z