Deployment Architecture

How do I script install Splunk 7.0.2 on CentOS 7 64 bit (THP, ulimit, permissions, ports, and inputs settings)?

sd306
Explorer

I am looking for an automated way to install Splunk 7.0.2 on CentOS 7 64 bit using the best practices for setting Transparent Huge Pages (THP), ulimit, permissions, ports, and inputs settings.

0 Karma
1 Solution

sd306
Explorer

Hello self,

You can use the following automated shell script for CentOS 7 64 bit ONLY 😉

Features:
-Installs wget and downloads the Splunk installer from the web.
-Disables THP.
-Sets ulimit.
-Installs Splunk 7.0.2 on CentOS 7 64 bit ONLY, automatically.
-Creates Linux user "splunk" and sets password.
-Sets proper permissions.
-Opens firewall ports.
-Creates SplunkTCP input over 9997.
-Create UDP input over 10514.
-Adjusts splunk-launch.conf to mitigate privilege escalation attack.

How-to:
1. Login as root
2. Create a file called "installSplunk702.sh" in your home directory using the command: vi installSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-installer #'
echo '# for CentOS 7 x64.                          #'
echo '# Last updated 03/12/2018.                   #'
echo '# Enter the "splunk" linux user account      #'
echo '# password and press enter to let the magic  #'
echo '# happen. Note: You will change the Splunk   #'
echo '# Web admin password upon first login.       #'
echo '#                                            #'
echo '##############################################'
echo
read splunkPassword
echo
echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
echo "[Unit]" > /etc/systemd/system/disable-thp.service
echo "Description=Disable Transparent Huge Pages" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Service]" >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo 'ExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"' >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Install]" >> /etc/systemd/system/disable-thp.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/disable-thp.service
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
echo
echo "Transparent Huge Pages (THP) Disabled."
echo
ulimit -n 64000
ulimit -u 20480
echo "DefaultLimitFSIZE=-1" >> /etc/systemd/system.conf
echo "DefaultLimitNOFILE=64000" >> /etc/systemd/system.conf
echo "DefaultLimitNPROC=20480" >> /etc/systemd/system.conf
echo
echo "ulimit Increased."
echo
yum install wget -y
cd /tmp
wget -O splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz&wget=true'
echo
echo "Splunk Downloaded."
echo
tar -xzvf /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz -C /opt
rm -f /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz
useradd splunk
echo splunk:$splunkPassword > /tmp/pwdfile
cat /tmp/pwdfile | chpasswd
rm -f /tmp/pwdfile
echo
echo "Splunk installed and splunk linux user created."
echo
echo "[settings]" > /opt/splunk/etc/system/local/web.conf
echo "enableSplunkWebSSL = true" >> /opt/splunk/etc/system/local/web.conf
echo
echo "HTTPS enabled for Splunk Web using self-signed certificate."
echo
chown -R splunk:splunk /opt/splunk
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --add-port=8000/tcp --permanent
firewall-cmd --zone=$afz --add-port=8065/tcp --permanent
firewall-cmd --zone=$afz --add-port=8089/tcp --permanent
firewall-cmd --zone=$afz --add-port=8191/tcp --permanent
firewall-cmd --zone=$afz --add-port=9997/tcp --permanent
firewall-cmd --zone=$afz --add-port=8080/tcp --permanent
firewall-cmd --zone=$afz --add-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk opened."
echo "[splunktcp]" > /opt/splunk/etc/system/local/inputs.conf
echo "[splunktcp://9997]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
echo "" >> /opt/splunk/etc/system/local/inputs.conf
echo "[udp://10514]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
chown splunk:splunk /opt/splunk/etc/system/local/inputs.conf
echo
echo "Enabled Splunk TCP input over 9997 and UDP traffic input over 10514."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start --accept-license'
/opt/splunk/bin/splunk enable boot-start -user splunk
runuser -l splunk -c '/opt/splunk/bin/splunk stop'
chown root:splunk /opt/splunk/etc/splunk-launch.conf
chmod 644 /opt/splunk/etc/splunk-launch.conf
echo
echo "Splunk test start and stop complete. Enabled Splunk to start at boot. Also, adjusted splunk-launch.conf to mitigate privilege escalation attack."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start'
if [[ -f /opt/splunk/bin/splunk ]]
        then
                echo Splunk Enterprise
                cat /opt/splunk/etc/splunk.version | head -1
                echo "has been installed, configured, and started!"
                echo "Visit the Splunk server using https://hostNameORip:8000 as mentioned above."
                echo
                echo
                echo "                        HAPPY SPLUNKING!!!"
                echo
                echo
                echo
        else
                echo Splunk Enterprise has FAILED install!
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 installSplunk702.sh
7. Then run the script using: ./installSplunk702.sh

Suggestions/Questions?

View solution in original post

sd306
Explorer

Hello self,

You can use the following automated shell script for CentOS 7 64 bit ONLY 😉

Features:
-Installs wget and downloads the Splunk installer from the web.
-Disables THP.
-Sets ulimit.
-Installs Splunk 7.0.2 on CentOS 7 64 bit ONLY, automatically.
-Creates Linux user "splunk" and sets password.
-Sets proper permissions.
-Opens firewall ports.
-Creates SplunkTCP input over 9997.
-Create UDP input over 10514.
-Adjusts splunk-launch.conf to mitigate privilege escalation attack.

How-to:
1. Login as root
2. Create a file called "installSplunk702.sh" in your home directory using the command: vi installSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-installer #'
echo '# for CentOS 7 x64.                          #'
echo '# Last updated 03/12/2018.                   #'
echo '# Enter the "splunk" linux user account      #'
echo '# password and press enter to let the magic  #'
echo '# happen. Note: You will change the Splunk   #'
echo '# Web admin password upon first login.       #'
echo '#                                            #'
echo '##############################################'
echo
read splunkPassword
echo
echo "never" > /sys/kernel/mm/transparent_hugepage/enabled
echo "never" > /sys/kernel/mm/transparent_hugepage/defrag
echo "[Unit]" > /etc/systemd/system/disable-thp.service
echo "Description=Disable Transparent Huge Pages" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Service]" >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo 'ExecStart=/bin/sh -c "echo never > /sys/kernel/mm/transparent_hugepage/enabled && echo never > /sys/kernel/mm/transparent_hugepage/defrag"' >> /etc/systemd/system/disable-thp.service
echo "Type=simple" >> /etc/systemd/system/disable-thp.service
echo "" >> /etc/systemd/system/disable-thp.service
echo "[Install]" >> /etc/systemd/system/disable-thp.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/disable-thp.service
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
echo
echo "Transparent Huge Pages (THP) Disabled."
echo
ulimit -n 64000
ulimit -u 20480
echo "DefaultLimitFSIZE=-1" >> /etc/systemd/system.conf
echo "DefaultLimitNOFILE=64000" >> /etc/systemd/system.conf
echo "DefaultLimitNPROC=20480" >> /etc/systemd/system.conf
echo
echo "ulimit Increased."
echo
yum install wget -y
cd /tmp
wget -O splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.2&product=splunk&filename=splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz&wget=true'
echo
echo "Splunk Downloaded."
echo
tar -xzvf /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz -C /opt
rm -f /tmp/splunk-7.0.2-03bbabbd5c0f-Linux-x86_64.tgz
useradd splunk
echo splunk:$splunkPassword > /tmp/pwdfile
cat /tmp/pwdfile | chpasswd
rm -f /tmp/pwdfile
echo
echo "Splunk installed and splunk linux user created."
echo
echo "[settings]" > /opt/splunk/etc/system/local/web.conf
echo "enableSplunkWebSSL = true" >> /opt/splunk/etc/system/local/web.conf
echo
echo "HTTPS enabled for Splunk Web using self-signed certificate."
echo
chown -R splunk:splunk /opt/splunk
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --add-port=8000/tcp --permanent
firewall-cmd --zone=$afz --add-port=8065/tcp --permanent
firewall-cmd --zone=$afz --add-port=8089/tcp --permanent
firewall-cmd --zone=$afz --add-port=8191/tcp --permanent
firewall-cmd --zone=$afz --add-port=9997/tcp --permanent
firewall-cmd --zone=$afz --add-port=8080/tcp --permanent
firewall-cmd --zone=$afz --add-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk opened."
echo "[splunktcp]" > /opt/splunk/etc/system/local/inputs.conf
echo "[splunktcp://9997]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
echo "" >> /opt/splunk/etc/system/local/inputs.conf
echo "[udp://10514]" >> /opt/splunk/etc/system/local/inputs.conf
echo "index = main" >> /opt/splunk/etc/system/local/inputs.conf
echo "disabled = 0" >> /opt/splunk/etc/system/local/inputs.conf
chown splunk:splunk /opt/splunk/etc/system/local/inputs.conf
echo
echo "Enabled Splunk TCP input over 9997 and UDP traffic input over 10514."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start --accept-license'
/opt/splunk/bin/splunk enable boot-start -user splunk
runuser -l splunk -c '/opt/splunk/bin/splunk stop'
chown root:splunk /opt/splunk/etc/splunk-launch.conf
chmod 644 /opt/splunk/etc/splunk-launch.conf
echo
echo "Splunk test start and stop complete. Enabled Splunk to start at boot. Also, adjusted splunk-launch.conf to mitigate privilege escalation attack."
echo
runuser -l splunk -c '/opt/splunk/bin/splunk start'
if [[ -f /opt/splunk/bin/splunk ]]
        then
                echo Splunk Enterprise
                cat /opt/splunk/etc/splunk.version | head -1
                echo "has been installed, configured, and started!"
                echo "Visit the Splunk server using https://hostNameORip:8000 as mentioned above."
                echo
                echo
                echo "                        HAPPY SPLUNKING!!!"
                echo
                echo
                echo
        else
                echo Splunk Enterprise has FAILED install!
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 installSplunk702.sh
7. Then run the script using: ./installSplunk702.sh

Suggestions/Questions?

View solution in original post

stanislavmerzly
Engager

Thanks you so much! Even not for automative install, but great simpiest guide for strong secure installation!

0 Karma

sd306
Explorer

You're welcome! I also created one for signing certs with your own CA, but may not post that until later.

0 Karma

sandeeprachuri
Path Finder

Hi @sd306, This is very helpful for me. I love the way you wrote both the scripts (easily readable).
What are the changes needed for RHEL 7-64?

Thank you for the great work.
Sandeep

0 Karma

sd306
Explorer

Sandeeprachuri,

You're welcome! I actually am working on some other simple scripts to create index clusters, etc.

While I don't have a RHEL 7 system to test, I don't believe any change is needed. THP used to be located in different areas on CentOS and RHEL 6, but now I believe they are the same on CentOS and RHEL 7.

Please test this on test RHEL 7 64 server and report back!

Thanks,
SD306

0 Karma

guru865
Path Finder

Hello sd306 ,

Could you please post here the changes required with the script for Amazon Linux AIM 64 , It would be great if you suggest the modifications required.

Thanks
guru865

0 Karma

sd306
Explorer

Thanks self. Now how would I remove it automatically?

0 Karma

sd306
Explorer

How-to:
1. Login as root
2. Create a file called "removeSplunk702.sh" in your home directory using the command: vi removeSplunk702.sh
3. Press "i" when you are in "vi" to insert text. Copy and paste the below script into the window:


#!/bin/bash
echo
echo '##############################################'
echo '#                                            #'
echo '# Welcome to the Splunk 7.0.2 auto-          #'
echo '# uninstaller for CentOS 7 x64.              #'
echo '# This should ONLY be used to remove Splunk  #'
echo '# 7.0.2 that was installed with the auto-    #'
echo '# installer.                                 #'
echo '# Last updated 03/12/2018.                   #'
echo '# Press enter TWICE to remove Splunk 7.0.2.  #'
echo '#                                            #'
echo '##############################################'
echo
read -p ""
read -p ""
if [[ ! -f /opt/splunk/bin/splunk ]] ; then
    echo Splunk is not installed, removal aborted.
    exit 1
fi
/opt/splunk/bin/splunk stop --accept-license
echo
echo Splunk stopped.
echo
/opt/splunk/bin/splunk disable boot-start
echo
echo Splunk boot-start disabled.
echo
runuser -l splunk -c 'ulimit -u 4096'
userdel -rf splunk
echo
echo Removed splunk linux user.
echo
rm -rf /opt/splunk
echo
echo Removed Splunk folders.
echo
systemctl stop disable-thp
systemctl disable disable-thp
rm -rf /etc/systemd/system/disable-thp.service
systemctl daemon-reload
echo "always" > /sys/kernel/mm/transparent_hugepage/enabled
echo "always" > /sys/kernel/mm/transparent_hugepage/defrag
echo
echo "Enabled Transparent Huges Pages (THP)."
echo
ulimit -n 1024
sed -i '/DefaultLimitFSIZE=-1/d' /etc/systemd/system.conf
sed -i '/DefaultLimitNOFILE=65535/d' /etc/systemd/system.conf
sed -i '/DefaultLimitNPROC=20480/d' /etc/systemd/system.conf
echo
echo Set ulimit settings to default.
echo
afz=`firewall-cmd --get-active-zone | head -1`
firewall-cmd --zone=$afz --remove-port=8000/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8089/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8191/tcp --permanent
firewall-cmd --zone=$afz --remove-port=9997/tcp --permanent
firewall-cmd --zone=$afz --remove-port=8080/tcp --permanent
firewall-cmd --zone=$afz --remove-port=10514/udp --permanent
firewall-cmd --reload
echo
echo "Firewall ports used by Splunk closed."
echo
if [[ ! -f /opt/splunk/bin/splunk ]]
    then
        echo Splunk Enterprise has been removed successfully.
        echo
    else
        echo Splunk Enterprise removal has FAILED!
        echo
fi
#End of File

Continued from above:
4. Press "esc" key once.
5. Hold "Shift" and press "z" twice to save.
6. Run the following command to make the script executable: chmod 700 removeSplunk702.sh
7. Then run the script using: ./removeSplunk702.sh

Suggestions/Questions?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!