Security

Is there a yum/rpm repo for Splunk?

stefanlasiewski
Contributor

I'm installing Splunk on an Enterprise Linux 6.1 machine.

The Install on Linux instructions talk about a RPM, but don't explain where the RPM is.

A Yum/RPM repository would be helpful in terms of installation, updates and would speed up the deployment of security updates

This would also help with security updates. In our case Splunk doesn't always notify us that there is a security update available and Splunk security updates are not announced via email. If Splunk provided yum & apt repos, then checking for security update could be as simple as yum check-update splunk or yum upgrade splunk.

Does Splunk.com provide a Yum/RPM repository for the Splunk application?

Tags (3)

TomRStevenson
Engager

The problem with the method you suggest is that you must supply all of the version information for the forwarder when doing the wget command, and there doesn't seem a simple way to automate providing this information.  For example, to get the current version of the forwarder (as of this writing), you need to execute:

wget -O splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'

How do you automate the "version=8.0.6" and "filename=splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm" values to be able to execute the "wget" command?

Michael
Contributor

Oh, that makes me feel better, I'm sure that Exhibit A, line 17 has done wonders in protecting us from Enemies of the State. I understand accepting it once, but on every update? On the Forwarders? Please. I bet you heard that from one of their lawyers... 😉

On a lighter note:
We have a private repo, and it works great for everything including the forwarder updates. The problem is that when the Splunk process restarts, it prompts for the license agreement and asks if you want to migrate the database. Yes, I'm aware of the switches we can use, but this can't be automated without some kind of post-processing (script). The upshot is, if we drop a Splunk update in our repos, and folks run 'yum update' across their enclave -- their Splunk instances don't restart -- and the only indication to me is that I notice I haven't seen a bunch of systems reporting in after after a while. With NIST 800-171 breathing down our necks (end-point log monitoring), that's not good.

Are you implying that you've done this, and you don't have that problem?

thanks,
Mike

amiracle
Splunk Employee
Splunk Employee

I've done this using automation tools such as Chef, Puppet and Ansible. I also use the tgz files instead of RPM's, more of a preference on my part. That is a more scalable solution since I can control the deployment and the orchestration of the update. I agree that a yum / apt repo would be nice to have and I've asked for it too.

Thanks,
Kam

amiracle
Splunk Employee
Splunk Employee

Additionally, here is a blog post to help with using a repo server and installing splunk binaries: http://www.rfaircloth.com/2017/03/07/automating-splunk-deployment-redhatcentos-poor-mans-edition/

bishopolis
Path Finder
cp splunkforwarder*.rpm /opt/splunkrepo

Here's where that post skips over the part we want, but does add some flash and finish we can figure ourselves.

0 Karma

kfiresmith
Engager

This only solves a minor part of the problem. People asking for a YUM repo mostly aren't asking because they want to install updates direct from a YUM repository, but because we want an easy sync source for our own pre-existing internal YUM repos that takes the human factor out of checking the main site by hand for updated packages, downloading them and re-publishing them internally. With Satellite or Pulp, all that would happen automatically based on pre-defined sync and publish rules.

Splunk is currently the ONLY vendor I have to do this archaic nonsense by hand with still. Everything else is synced automatically overnight into Satellite and pre-defined rules specify the workflow from there.

Michael
Contributor

But, don't you feel safer knowing that Exhibit A, line 17 is protecting Freedom, Heros, and Apple Pie? 😉

timmy13
Communicator

This is a really old thread, but I wonder if there is an update. It would Splunk would have put a repo up by now.

Michael
Contributor

No change, AFAIK.

Splunk engineers tell me the assumption is that people are using 3rd party products (i.e. Puppet). That's fine if you have staff to support that. But we're just a "medium" sized organization so I'm facing about 1,000 systems (and separate sys-admin groups all doing their own thing) to update manually (i.e. no Puppet). All because Splunk lawyers feel it's necessary for us to acknowledge the freakin' license agreement after every update. After seeing enough of their presentations with that retarded first slide they always put up ("Disclaimer...!") I'm not surprised. Do I sound bitter about this? 'cause I am...

yuvalba
Path Finder

Any update on this topic since it was asked at Nov '11?
I am also going to deploy Splunk forwarder on many servers and was wondering how to ensure it is being kept up to date with security updates etc?
Why not support the native Linux software management tools?

jherring_splunk
Splunk Employee
Splunk Employee

This could be a great way to keep eg forwarders up to date if not the search head/indexers.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No, Splunk does not provide a yum/RPM repository. (No deb/apt repository either.) You can select your version of choice from: http://www.splunk.com/download (registration needed to download after you've selected your version).

On the target page for the selected download version, you will also find a link the to the MD5 for that version if you wish to verify the download, along with instructions for getting the file using wget instead of your browser.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...