Deployment Architecture

AWS Elastic Beanstalk Failing to Set Up Splunk Universal Forwarder User

yourknightmares
Explorer

I'm attempting to set up my AWS Elastic Beanstalk instance to also run Splunk Universal Forwarder on it and forward data to my Splunk Cloud account. I am roughly following this guide: https://tech.smartling.com/logs-collection-from-aws-elasticbeanstalk-splunk-7edd0348bc96 with some changes to the .ebextensions file given. I know it's using an older version of universal forwarder, so the admin:changeme login doesn't work, but I went on to this page: https://docs.splunk.com/Documentation/Splunk/7.1.0/Security/Secureyouradminaccount#Create_a_password... and followed that by creating a user-seed.conf file with a random password, I even added a cat on that file and it printed out the correct information. However, I'm still getting the "No users exist. Please set up a user." error. Does anyone have any ideas?

Here's my actual .ebextensions file:

 

 

container_commands:
    01install-splunk:
        command: /usr/local/bin/install-splunk.sh
    02set-splunk-outputs:
        command: /usr/local/bin/set_splunk_outputs.sh
        env:
            SPLUNK_SERVER_HOST: "instance.splunkcloud.com:9997"
    03add-inputs-to-splunk:
        command: /usr/local/bin/add-inputs-to-splunk.sh
        env:
            ENVIRONMENT_NAME: "Development"
        cwd: /root
        ignoreErrors: false 

files:
    "/usr/local/bin/install-splunk.sh":
        content: |
            #!/usr/bin/env bash

            /usr/bin/wget "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.0&product=universalforwarder&filename=splunkforwarder-8.1.0-f57c09e87251-linux-2.6-x86_64.rpm&wget=true" -O /usr/src/splunk-universal-forwarder.rpm
            /bin/rpm -i /usr/src/splunk-universal-forwarder.rpm

            if [[ -z $(pgrep splunk) ]];then
                /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/outputs.conf":
        content: |
            [tcpout]
            defaultGroup = splunkLogs
            disabled = false

            [tcpout:splunkLogs]
            server = splunk_server_host

            [tcpout-server://splunk-server-host:9997]
        mode: "000644"
    "/usr/local/bin/set_splunk_outputs.sh":
        content: |
            #!/usr/bin/env bash

            if [[ -z $SPLUNK_SERVER_HOST ]];then
                echo "$0: Cannot find splunk server host."
                exit 1
            fi

            outputs_file="/opt/splunkforwarder/etc/system/local/outputs.conf"
            if [[ -e $outputs ]];then
                chown splunk.splunk $outputs
                cp -f $outputs_file $outputs_file.orig
                sed -i "s/splunk_server_host/$SPLUNK_SERVER_HOST/g" $outputs

                if [[ -n $(diff $outputs_file $outputs_file.orig) && -n $(pgrep splunk) ]];then
                    /opt/splunkforwarder/bin/splunk restart
                fi
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/user-seed.conf":
        content: |
            [user_info]
            USERNAME = admin
            PASSWORD = "fdsajigoqpkmgas"
    "/usr/local/bin/add-inputs-to-splunk.sh":
        content: |
            #!/usr/bin/env bash

            application_name=$ENVIRONMENT_NAME
            instance_name=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
            splunk_logs_hostname="$application_name/$instance_name"
            wget "https://bucket.s3.amazonaws.com/splunkclouduf.spl" -O /usr/src/splunk-credentials.spl

            export HOME=/root
            /opt/splunkforwarder/bin/splunk install app /usr/src/splunk-credentials.spl -auth admin:"fdsajigoqpkmgas"
            /opt/splunkforwarder/bin/splunk login -auth admin:"fdsajigoqpkmgas"

            /opt/splunkforwarder/bin/splunk add monitor "/tmp/logs/stacktrace.log" -hostname "$splunk_logs_hostname" -sourcetype log4j
        mode: "000755"

 

 

smohanty_cme
Engager

Hi! I followed the same tutorial and ran into the same error while attempting to deploy. Have you found any success with this yet? Thanks

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...