Installation

How to set command line parameters that splunkd passes to mongod?

kurdbahr
Path Finder

How do I configure the command line parameters that splunkd passes to mongod?
Especially I would like to set the --bind_ip parameter so that mongod listens on localhost only.
By default it listens on all available interfaces.

Tags (3)

southeringtonp
Motivator

Personally I prefer to outright disable the kvstore, at least until Splunk gets some sort of coherent setup for it. The way the whole thing is implemented still feels a bit like a cheap hack. In server.conf, you can set:

[kvstore]
disabled = true

That said, it appears that mongod is executed explicitly from splunkd, so if you actually need it, then unless there's some kind of undocumented way to configure it, it's going to be difficult to fix directly.

It should be possible to work around with a shell script, but it would fall under the category of extremely unsupported.

If somebody wants to come along and downvote this as a bad idea, feel free, but please also provide a viable solution if you do. I'm sure I'm not the only one who'd like to see a clean fix.

#!/bin/sh
#
# Wrapper script for Splunk internal mongodb (aka kvstore) instance
#
# Disclaimer:  This is an awful hack and EXTREMELY UNSUPPORTED.  Don't come to me or to Splunk if it breaks everything.
#
# To use:
#   cd /opt/splunk/bin
#   mv -v mongod mongod.bin
#   ln -s mongod-wrapper.sh mongod
#
# Splunk will then execute the shell script instead of the default.
# Splunk will also throw InstalledFilesHashChecker warnings in splunkd.log
# This may also prevent Splunk's normal init scripts from shutting mongodb down correctly.
#
ADD_PARAMS="--sslCAFile /opt/splunk/etc/auth/rootCA.pem --bind_ip 127.0.0.1 --sslPEMKeyFile=/opt/splunk/etc/auth/splunk-mongodb.pem --sslMode requireSSL --sslAllowConnectionsWithoutCertificates"
echo $0.bin $1 $2 $3 $4 $5 $6 $7 $8 $9 $ADD_PARAMS > /tmp/mongod.cmdline
exec $0.bin $1 $2 $3 $4 $5 $6 $7 $8 $9 $ADD_PARAMS 

skylasam_splunk
Splunk Employee
Splunk Employee

You can control this by setting the SPLUNK_BINDIP in splunk-launch.conf.

0 Karma

kurdbahr
Path Finder

I would like to change the bind address of the mongod process only, not that of the splunkd process.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...