Deployment Architecture

How do I script install Splunk 7.0.2 on CentOS 7 64 bit (THP, ulimit, permissions, ports, and inputs settings)?

sd306
Explorer

I am looking for an automated way to install Splunk 7.0.2 on CentOS 7 64 bit using the best practices for setting Transparent Huge Pages (THP), ulimit, permissions, ports, and inputs settings.

0 Karma
1 Solution

sd306
Explorer

Hello self,

You can use the following automated shell script for CentOS 7 64 bit ONLY 😉

Features:
-Installs wget and downloads the Splunk installer from the web.
-Disables THP.
-Sets ulimit.
-Installs Splunk 7.0.2 on CentOS 7 64 bit ONLY, automatically.
-Creates Linux user "splunk" and sets password.
-Sets proper permissions.
-Opens firewall ports.
-Creates SplunkTCP input over 9997.
-Create UDP input over 10514.
-Adjusts splunk-launch.conf to mitigate privilege escalation attack.

How-to:
1. Login as root
2. Create a file called "installSplunk702.sh" in your home directory using the command: vi installSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-installer #'
echo '# for CentOS 7 x64.                          #'
echo '# Last updated 03/12/2018.                   #'
echo '# Enter the "splunk" linux user account      #'
echo '# password and press enter to let the magic  #'
echo '# happen. Note: You will change the Splunk   #'
echo '# Web admin password upon first login.       #'
echo '#                                            #'
echo '##############################################'
echo
read splunkPassword
echo
echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
echo "[Unit]" > /etc/systemd/system/disable-thp.service
echo "Description=Disable Transparent Huge Pages" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Service]" >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo 'ExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"' >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Install]" >> /etc/systemd/system/disable-thp.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/disable-thp.service
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
echo
echo "Transparent Huge Pages (THP) Disabled."
echo
ulimit -n 64000
ulimit -u 20480
echo "DefaultLimitFSIZE=-1" >> /etc/systemd/system.conf
echo "DefaultLimitNOFILE=64000" >> /etc/systemd/system.conf
echo "DefaultLimitNPROC=20480" >> /etc/systemd/system.conf
echo
echo "ulimit Increased."
echo
yum install wget -y
cd /tmp
wget -O splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz&wget=true'
echo
echo "Splunk Downloaded."
echo
tar -xzvf /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz -C /opt
rm -f /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz
useradd splunk
echo splunk:$splunkPassword > /tmp/pwdfile
cat /tmp/pwdfile | chpasswd
rm -f /tmp/pwdfile
echo
echo "Splunk installed and splunk linux user created."
echo
echo "[settings]" > /opt/splunk/etc/system/local/web.conf
echo "enableSplunkWebSSL = true" >> /opt/splunk/etc/system/local/web.conf
echo
echo "HTTPS enabled for Splunk Web using self-signed certificate."
echo
chown -R splunk:splunk /opt/splunk
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --add-port=8000/tcp --permanent
firewall-cmd --zone=$afz --add-port=8065/tcp --permanent
firewall-cmd --zone=$afz --add-port=8089/tcp --permanent
firewall-cmd --zone=$afz --add-port=8191/tcp --permanent
firewall-cmd --zone=$afz --add-port=9997/tcp --permanent
firewall-cmd --zone=$afz --add-port=8080/tcp --permanent
firewall-cmd --zone=$afz --add-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk opened."
echo "[splunktcp]" > /opt/splunk/etc/system/local/inputs.conf
echo "[splunktcp://9997]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
echo "" >> /opt/splunk/etc/system/local/inputs.conf
echo "[udp://10514]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
chown splunk:splunk /opt/splunk/etc/system/local/inputs.conf
echo
echo "Enabled Splunk TCP input over 9997 and UDP traffic input over 10514."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start --accept-license'
/opt/splunk/bin/splunk enable boot-start -user splunk
runuser -l splunk -c '/opt/splunk/bin/splunk stop'
chown root:splunk /opt/splunk/etc/splunk-launch.conf
chmod 644 /opt/splunk/etc/splunk-launch.conf
echo
echo "Splunk test start and stop complete. Enabled Splunk to start at boot. Also, adjusted splunk-launch.conf to mitigate privilege escalation attack."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start'
if [[ -f /opt/splunk/bin/splunk ]]
        then
                echo Splunk Enterprise
                cat /opt/splunk/etc/splunk.version | head -1
                echo "has been installed, configured, and started!"
                echo "Visit the Splunk server using https://hostNameORip:8000 as mentioned above."
                echo
                echo
                echo "                        HAPPY SPLUNKING!!!"
                echo
                echo
                echo
        else
                echo Splunk Enterprise has FAILED install!
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 installSplunk702.sh
7. Then run the script using: ./installSplunk702.sh

Suggestions/Questions?

View solution in original post

sd306
Explorer

Hello self,

You can use the following automated shell script for CentOS 7 64 bit ONLY 😉

Features:
-Installs wget and downloads the Splunk installer from the web.
-Disables THP.
-Sets ulimit.
-Installs Splunk 7.0.2 on CentOS 7 64 bit ONLY, automatically.
-Creates Linux user "splunk" and sets password.
-Sets proper permissions.
-Opens firewall ports.
-Creates SplunkTCP input over 9997.
-Create UDP input over 10514.
-Adjusts splunk-launch.conf to mitigate privilege escalation attack.

How-to:
1. Login as root
2. Create a file called "installSplunk702.sh" in your home directory using the command: vi installSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-installer #'
echo '# for CentOS 7 x64.                          #'
echo '# Last updated 03/12/2018.                   #'
echo '# Enter the "splunk" linux user account      #'
echo '# password and press enter to let the magic  #'
echo '# happen. Note: You will change the Splunk   #'
echo '# Web admin password upon first login.       #'
echo '#                                            #'
echo '##############################################'
echo
read splunkPassword
echo
echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
echo "[Unit]" > /etc/systemd/system/disable-thp.service
echo "Description=Disable Transparent Huge Pages" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Service]" >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo 'ExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"' >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Install]" >> /etc/systemd/system/disable-thp.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/disable-thp.service
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
echo
echo "Transparent Huge Pages (THP) Disabled."
echo
ulimit -n 64000
ulimit -u 20480
echo "DefaultLimitFSIZE=-1" >> /etc/systemd/system.conf
echo "DefaultLimitNOFILE=64000" >> /etc/systemd/system.conf
echo "DefaultLimitNPROC=20480" >> /etc/systemd/system.conf
echo
echo "ulimit Increased."
echo
yum install wget -y
cd /tmp
wget -O splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz&wget=true'
echo
echo "Splunk Downloaded."
echo
tar -xzvf /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz -C /opt
rm -f /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz
useradd splunk
echo splunk:$splunkPassword > /tmp/pwdfile
cat /tmp/pwdfile | chpasswd
rm -f /tmp/pwdfile
echo
echo "Splunk installed and splunk linux user created."
echo
echo "[settings]" > /opt/splunk/etc/system/local/web.conf
echo "enableSplunkWebSSL = true" >> /opt/splunk/etc/system/local/web.conf
echo
echo "HTTPS enabled for Splunk Web using self-signed certificate."
echo
chown -R splunk:splunk /opt/splunk
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --add-port=8000/tcp --permanent
firewall-cmd --zone=$afz --add-port=8065/tcp --permanent
firewall-cmd --zone=$afz --add-port=8089/tcp --permanent
firewall-cmd --zone=$afz --add-port=8191/tcp --permanent
firewall-cmd --zone=$afz --add-port=9997/tcp --permanent
firewall-cmd --zone=$afz --add-port=8080/tcp --permanent
firewall-cmd --zone=$afz --add-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk opened."
echo "[splunktcp]" > /opt/splunk/etc/system/local/inputs.conf
echo "[splunktcp://9997]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
echo "" >> /opt/splunk/etc/system/local/inputs.conf
echo "[udp://10514]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
chown splunk:splunk /opt/splunk/etc/system/local/inputs.conf
echo
echo "Enabled Splunk TCP input over 9997 and UDP traffic input over 10514."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start --accept-license'
/opt/splunk/bin/splunk enable boot-start -user splunk
runuser -l splunk -c '/opt/splunk/bin/splunk stop'
chown root:splunk /opt/splunk/etc/splunk-launch.conf
chmod 644 /opt/splunk/etc/splunk-launch.conf
echo
echo "Splunk test start and stop complete. Enabled Splunk to start at boot. Also, adjusted splunk-launch.conf to mitigate privilege escalation attack."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start'
if [[ -f /opt/splunk/bin/splunk ]]
        then
                echo Splunk Enterprise
                cat /opt/splunk/etc/splunk.version | head -1
                echo "has been installed, configured, and started!"
                echo "Visit the Splunk server using https://hostNameORip:8000 as mentioned above."
                echo
                echo
                echo "                        HAPPY SPLUNKING!!!"
                echo
                echo
                echo
        else
                echo Splunk Enterprise has FAILED install!
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 installSplunk702.sh
7. Then run the script using: ./installSplunk702.sh

Suggestions/Questions?

stanislavmerzly
Engager

Thanks you so much! Even not for automative install, but great simpiest guide for strong secure installation!

0 Karma

sd306
Explorer

You're welcome! I also created one for signing certs with your own CA, but may not post that until later.

0 Karma

sandeeprachuri
Path Finder

Hi @sd306, This is very helpful for me. I love the way you wrote both the scripts (easily readable).
What are the changes needed for RHEL 7-64?

Thank you for the great work.
Sandeep

0 Karma

sd306
Explorer

Sandeeprachuri,

You're welcome! I actually am working on some other simple scripts to create index clusters, etc.

While I don't have a RHEL 7 system to test, I don't believe any change is needed. THP used to be located in different areas on CentOS and RHEL 6, but now I believe they are the same on CentOS and RHEL 7.

Please test this on test RHEL 7 64 server and report back!

Thanks,
SD306

0 Karma

guru865
Path Finder

Hello sd306 ,

Could you please post here the changes required with the script for Amazon Linux AIM 64 , It would be great if you suggest the modifications required.

Thanks
guru865

0 Karma

sd306
Explorer

Thanks self. Now how would I remove it automatically?

0 Karma

sd306
Explorer

How-to:
1. Login as root
2. Create a file called "removeSplunk702.sh" in your home directory using the command: vi removeSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-          #'
echo '# uninstaller for CentOS 7 x64.              #'
echo '# This should ONLY be used to remove Splunk  #'
echo '# 7.0.2 that was installed with the auto-    #'
echo '# installer.                                 #'
echo '# Last updated 03/12/2018.                   #'
echo '# Press enter TWICE to remove Splunk 7.0.2.  #'
echo '#                                            #'
echo '##############################################'
echo
read -p ""
read -p ""
if [[ ! -f /opt/splunk/bin/splunk ]] ; then
    echo Splunk is not installed, removal aborted.
    exit 1
fi
/opt/splunk/bin/splunk stop --accept-license
echo
echo Splunk stopped.
echo
/opt/splunk/bin/splunk disable boot-start
echo
echo Splunk boot-start disabled.
echo
runuser -l splunk -c 'ulimit -u 4096'
userdel -rf splunk
echo
echo Removed splunk linux user.
echo
rm -rf /opt/splunk
echo
echo Removed Splunk folders.
echo
systemctl stop disable-thp
systemctl disable disable-thp
rm -rf /etc/systemd/system/disable-thp.service
systemctl daemon-reload
echo "always" > /sys/kernel/mm/transparent_hugepage/enabled
echo "always" > /sys/kernel/mm/transparent_hugepage/defrag
echo
echo "Enabled Transparent Huges Pages (THP)."
echo
ulimit -n 1024
sed -i '/DefaultLimitFSIZE=-1/d' /etc/systemd/system.conf
sed -i '/DefaultLimitNOFILE=65535/d' /etc/systemd/system.conf
sed -i '/DefaultLimitNPROC=20480/d' /etc/systemd/system.conf
echo
echo Set ulimit settings to default.
echo
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --remove-port=8000/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8089/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8191/tcp --permanent
firewall-cmd --zone=$afz --remove-port=9997/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8080/tcp --permanent
firewall-cmd --zone=$afz --remove-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk closed."
echo
if [[ ! -f /opt/splunk/bin/splunk ]]
    then
        echo Splunk Enterprise has been removed successfully.
        echo
    else
        echo Splunk Enterprise removal has FAILED!
        echo
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 removeSplunk702.sh
7. Then run the script using: ./removeSplunk702.sh

Suggestions/Questions?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...