I'm trying to build a Local Attack Range but it fails when it tries to restart the splunk.service. The Splunk instance does restart but fails when the systemctl command is implemented. I did insure that THPs was disabled, seLinux was disabled and ulimits were set properly on the host.
It did increate the timeout but it fails to restart even after 30 minutes. The "python attack_range.py build" does successfully create the Splunk instance and installs all the required apps & TAs. It just fails to restart once the Splunk Enterprise as a systemd service within the Vagrant VM.
Any feedback would be appreciated!!!
TASK [splunk_server_post : change password splunk] *****************************
changed: [ar-splunk-attack-range-key-pair-ar]
TASK [splunk_server_post : restart splunk] *************************************
fatal: [ar-splunk-attack-range-key-pair-ar]: FAILED! => {"changed": false, "msg": "Unable to restart service splunk: Job for splunk.service failed because a timeout was exceeded.\nSee \"systemctl status splunk.service\" and \"journalctl -xe\" for details.\n"}
RUNNING HANDLER [splunk_server_post : restart splunk] **************************
PLAY RECAP *********************************************************************
ar-splunk-attack-range-key-pair-ar : ok=139 changed=64 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again.
2024-09-19 16:22:49,709 - ERROR - attack_range - vagrant failed to build (attack-range-py3.8) aradmin@attackrange:~/attack_range$
Here is my attack_range yml file:
Check out: ansible.builtin.file module – Manage files and file properties — Ansible Community Documentation
- name: Recursively change ownership of a directory ansible.builtin.file: path: /etc/foo state: directory recurse: yes owner: foo group: foo
What happens when you execute the restart command manually? Do you use the correct user in your ansible script? Maybe you have to set "become: tru"e if splunk runs under root.
I did fix the restart issue
But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails: