Deployment Architecture

AWS Elastic Beanstalk Failing to Set Up Splunk Universal Forwarder User

yourknightmares
Explorer

I'm attempting to set up my AWS Elastic Beanstalk instance to also run Splunk Universal Forwarder on it and forward data to my Splunk Cloud account. I am roughly following this guide: https://tech.smartling.com/logs-collection-from-aws-elasticbeanstalk-splunk-7edd0348bc96 with some changes to the .ebextensions file given. I know it's using an older version of universal forwarder, so the admin:changeme login doesn't work, but I went on to this page: https://docs.splunk.com/Documentation/Splunk/7.1.0/Security/Secureyouradminaccount#Create_a_password... and followed that by creating a user-seed.conf file with a random password, I even added a cat on that file and it printed out the correct information. However, I'm still getting the "No users exist. Please set up a user." error. Does anyone have any ideas?

Here's my actual .ebextensions file:

 

 

container_commands:
    01install-splunk:
        command: /usr/local/bin/install-splunk.sh
    02set-splunk-outputs:
        command: /usr/local/bin/set_splunk_outputs.sh
        env:
            SPLUNK_SERVER_HOST: "instance.splunkcloud.com:9997"
    03add-inputs-to-splunk:
        command: /usr/local/bin/add-inputs-to-splunk.sh
        env:
            ENVIRONMENT_NAME: "Development"
        cwd: /root
        ignoreErrors: false 

files:
    "/usr/local/bin/install-splunk.sh":
        content: |
            #!/usr/bin/env bash

            /usr/bin/wget "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.0&product=universalforwarder&filename=splunkforwarder-8.1.0-f57c09e87251-linux-2.6-x86_64.rpm&wget=true" -O /usr/src/splunk-universal-forwarder.rpm
            /bin/rpm -i /usr/src/splunk-universal-forwarder.rpm

            if [[ -z $(pgrep splunk) ]];then
                /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/outputs.conf":
        content: |
            [tcpout]
            defaultGroup = splunkLogs
            disabled = false

            [tcpout:splunkLogs]
            server = splunk_server_host

            [tcpout-server://splunk-server-host:9997]
        mode: "000644"
    "/usr/local/bin/set_splunk_outputs.sh":
        content: |
            #!/usr/bin/env bash

            if [[ -z $SPLUNK_SERVER_HOST ]];then
                echo "$0: Cannot find splunk server host."
                exit 1
            fi

            outputs_file="/opt/splunkforwarder/etc/system/local/outputs.conf"
            if [[ -e $outputs ]];then
                chown splunk.splunk $outputs
                cp -f $outputs_file $outputs_file.orig
                sed -i "s/splunk_server_host/$SPLUNK_SERVER_HOST/g" $outputs

                if [[ -n $(diff $outputs_file $outputs_file.orig) && -n $(pgrep splunk) ]];then
                    /opt/splunkforwarder/bin/splunk restart
                fi
            fi
        mode: "000755"
    "/opt/splunkforwarder/etc/system/local/user-seed.conf":
        content: |
            [user_info]
            USERNAME = admin
            PASSWORD = "fdsajigoqpkmgas"
    "/usr/local/bin/add-inputs-to-splunk.sh":
        content: |
            #!/usr/bin/env bash

            application_name=$ENVIRONMENT_NAME
            instance_name=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
            splunk_logs_hostname="$application_name/$instance_name"
            wget "https://bucket.s3.amazonaws.com/splunkclouduf.spl" -O /usr/src/splunk-credentials.spl

            export HOME=/root
            /opt/splunkforwarder/bin/splunk install app /usr/src/splunk-credentials.spl -auth admin:"fdsajigoqpkmgas"
            /opt/splunkforwarder/bin/splunk login -auth admin:"fdsajigoqpkmgas"

            /opt/splunkforwarder/bin/splunk add monitor "/tmp/logs/stacktrace.log" -hostname "$splunk_logs_hostname" -sourcetype log4j
        mode: "000755"

 

 

smohanty_cme
Engager

Hi! I followed the same tutorial and ran into the same error while attempting to deploy. Have you found any success with this yet? Thanks

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...