Deployment Architecture

2 Splunk instance on Linux - passwd sync

Benomran
Explorer

After setting up Load Balance on 2 mirrored Splunk instance I had 2 passwd files located locally on each instance in /opt/splunk/etc/passwd. To sync passwords among the 2 instances, I created a (Linux) symbolic link to a shared drive /opt/share/etc/passwd. However when I created a new account (on 1 instance), the symbolic link was lost and the file returned local status once more.

How do sync credentials (passwd) on all splunk instances so I don't have to create an account on each instance manually? LDAP is currently not an option as I don't have resources for that now.

Thank you in advance!

0 Karma
1 Solution

adamw
Communicator

Instance 1:
rsync -av $SPLUNK_HOME/etc/passwd /sharedfolder/splunk/passwd

Instance 2/3/...:
rsync -av /sharedfolder/splunk/passwd $SPLUNK_HOME/etc/passwd

Put these both in cron every 5 minutes (or so) and you should be good to go.

View solution in original post

OL
Communicator

Don't you need to restart the servers every time the passwd file changes?

0 Karma

adamw
Communicator

Instance 1:
rsync -av $SPLUNK_HOME/etc/passwd /sharedfolder/splunk/passwd

Instance 2/3/...:
rsync -av /sharedfolder/splunk/passwd $SPLUNK_HOME/etc/passwd

Put these both in cron every 5 minutes (or so) and you should be good to go.

premg
Engager

Hi,

Do we need to restart the splunk instances for the passwords to work?

0 Karma

MHibbin
Influencer

How about rsync?

0 Karma

Benomran
Explorer

After a quick review on rsync I found this example command:
rsync -avvr $SPLUNK_HOME/etc/system/local/ <$SPLUNK_HOME/etc/apps/> :/$SPLUNK_HOME/etc/

What is the best way to rsync-ing it with existing shared folder? Is rsync both-way or one-way? My plan is to have additional instances in the future. I would still need to create an account via one instance.

The Idea would be to:
Instance 1 (Create accounts, transfer passwd to shared folder)
Instance 2 (receive copy of passwd from shared folder)
instance 3 (future - receive copy of passwd from shared folder)

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...