Hi
I am maintaining my splunk config with chef ( or puppet).
But after pushing my config, and restarting splunk, some files are modified (server.conf)
This is causing a new deployment to occur in loop.
Is it normal, how to avoid that ?
This is a known behavior in splunk, when you push configuration.
The files containing passwords are :
$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslKeysfilePassword = $1$uRefsdTFJSp
$SPLUNK_HOME/etc/system/local/authentication.conf
may also contains the ldap bind user password.
The local secret key is $SPLUNK_HOME/etc/auth/splunk.secret
and this file is generated during the first start of splunk (therefore may be different on each instance)
This is the same for the local certificates in $SPLUNK_HOME/etc/auth/)
The solution is to
1 - have the same splunk.secret on your servers
2 - when you modify your configurations files, have them encrypted using the same splunk.secret ( by starting splunk once on an instance) before pushing them.
remark, in the server.conf there is another unique value, the GUID.
example :
[general]
guid = 163F9EF5-B334-4A32-933E-801F4F0D6B90
It is used for the license-slaves to identify to the license-master.
SO If you are using a license-master, make sure that each server.conf is unique per license-slave.
This is a known behavior in splunk, when you push configuration.
The files containing passwords are :
$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslKeysfilePassword = $1$uRefsdTFJSp
$SPLUNK_HOME/etc/system/local/authentication.conf
may also contains the ldap bind user password.
The local secret key is $SPLUNK_HOME/etc/auth/splunk.secret
and this file is generated during the first start of splunk (therefore may be different on each instance)
This is the same for the local certificates in $SPLUNK_HOME/etc/auth/)
The solution is to
1 - have the same splunk.secret on your servers
2 - when you modify your configurations files, have them encrypted using the same splunk.secret ( by starting splunk once on an instance) before pushing them.