Deployment Architecture

AWS Elastic Beanstalk Failing to Set Up Splunk Universal Forwarder User

yourknightmares
Explorer

I'm attempting to set up my AWS Elastic Beanstalk instance to also run Splunk Universal Forwarder on it and forward data to my Splunk Cloud account. I am roughly following this guide: https://tech.smartling.com/logs-collection-from-aws-elasticbeanstalk-splunk-7edd0348bc96 with some changes to the .ebextensions file given. I know it's using an older version of universal forwarder, so the admin:changeme login doesn't work, but I went on to this page: https://docs.splunk.com/Documentation/Splunk/7.1.0/Security/Secureyouradminaccount#Create_a_password... and followed that by creating a user-seed.conf file with a random password, I even added a cat on that file and it printed out the correct information. However, I'm still getting the "No users exist. Please set up a user." error. Does anyone have any ideas?

Here's my actual .ebextensions file:

 

 

container_commands:
    01install-splunk:
        command: /usr/local/bin/install-splunk.sh
    02set-splunk-outputs:
        command: /usr/local/bin/set_splunk_outputs.sh
        env:
            SPLUNK_SERVER_HOST: "instance.splunkcloud.com:9997"
    03add-inputs-to-splunk:
        command: /usr/local/bin/add-inputs-to-splunk.sh
        env:
            ENVIRONMENT_NAME: "Development"
        cwd: /root
        ignoreErrors: false 

files:
    "/usr/local/bin/install-splunk.sh":
        content: |
            #!/usr/bin/env bash

            /usr/bin/wget "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.0&product=universalforwarder&filename=splunkforwarder-8.1.0-f57c09e87251-linux-2.6-x86_64.rpm&wget=true" -O /usr/src/splunk-universal-forwarder.rpm
            /bin/rpm -i /usr/src/splunk-universal-forwarder.rpm

            if [[ -z $(pgrep splunk) ]];then
                /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/outputs.conf":
        content: |
            [tcpout]
            defaultGroup = splunkLogs
            disabled = false

            [tcpout:splunkLogs]
            server = splunk_server_host

            [tcpout-server://splunk-server-host:9997]
        mode: "000644"
    "/usr/local/bin/set_splunk_outputs.sh":
        content: |
            #!/usr/bin/env bash

            if [[ -z $SPLUNK_SERVER_HOST ]];then
                echo "$0: Cannot find splunk server host."
                exit 1
            fi

            outputs_file="/opt/splunkforwarder/etc/system/local/outputs.conf"
            if [[ -e $outputs ]];then
                chown splunk.splunk $outputs
                cp -f $outputs_file $outputs_file.orig
                sed -i "s/splunk_server_host/$SPLUNK_SERVER_HOST/g" $outputs

                if [[ -n $(diff $outputs_file $outputs_file.orig) && -n $(pgrep splunk) ]];then
                    /opt/splunkforwarder/bin/splunk restart
                fi
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/user-seed.conf":
        content: |
            [user_info]
            USERNAME = admin
            PASSWORD = "fdsajigoqpkmgas"
    "/usr/local/bin/add-inputs-to-splunk.sh":
        content: |
            #!/usr/bin/env bash

            application_name=$ENVIRONMENT_NAME
            instance_name=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
            splunk_logs_hostname="$application_name/$instance_name"
            wget "https://bucket.s3.amazonaws.com/splunkclouduf.spl" -O /usr/src/splunk-credentials.spl

            export HOME=/root
            /opt/splunkforwarder/bin/splunk install app /usr/src/splunk-credentials.spl -auth admin:"fdsajigoqpkmgas"
            /opt/splunkforwarder/bin/splunk login -auth admin:"fdsajigoqpkmgas"

            /opt/splunkforwarder/bin/splunk add monitor "/tmp/logs/stacktrace.log" -hostname "$splunk_logs_hostname" -sourcetype log4j
        mode: "000755"

 

 

smohanty_cme
Engager

Hi! I followed the same tutorial and ran into the same error while attempting to deploy. Have you found any success with this yet? Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...