Security

Is there a yum/rpm repo for Splunk?

stefanlasiewski
Contributor

I'm installing Splunk on an Enterprise Linux 6.1 machine.

The Install on Linux instructions talk about a RPM, but don't explain where the RPM is.

A Yum/RPM repository would be helpful in terms of installation, updates and would speed up the deployment of security updates

This would also help with security updates. In our case Splunk doesn't always notify us that there is a security update available and Splunk security updates are not announced via email. If Splunk provided yum & apt repos, then checking for security update could be as simple as yum check-update splunk or yum upgrade splunk.

Does Splunk.com provide a Yum/RPM repository for the Splunk application?

Tags (3)

bishopolis
Path Finder

2 months later.

Have they published a proper repo yet?

A software repo with automatic updates is a tiny, tiny bit of what makes an 'Enterprise' company an Enterprise company, and it's valuable for so many reasons that we all should understand by now. Even if we're using Puppet (chef for us) to manage config, config management doesn't magically absolve sysadmins from the need to be adequate -- and installable artifacts (Hi BruceJackson) are best-practice for a very, very good reason.

I think everyone here wants Splunk to be awesome -- for some of us starting this journey, we've been told so many great things. I'm hoping they've published a repo and just forgotten to update this particular thread, so if anyone found one can you show me where I overlooked it?

amiracle
Splunk Employee
Splunk Employee

Still working on this internally. Hope to have a response soon.

Intermediate
Path Finder

amiracle could you please provide us all an update? Even if your work didn't go anywhere it would be helpful to have closure.

amiracle
Splunk Employee
Splunk Employee

The latest update I can give is that I'm working with our IT organization to establish the repo and will post more updates as I get closer to having this done.

Intermediate
Path Finder

Hello,
It's been another two months. Do you think this is likely to happen or is it just too hard internally?

Intermediate
Path Finder

Thank you.

0 Karma

bishopolis
Path Finder

3 months later (76 months overall). Any updates?

Right now, Splunk is considered Not Enterprise Capable due to the broken update stream.

"Day 2" problems are important in the Enterprise.

bishopolis
Path Finder

81 months total. Any luck this is our lucky month?

amiracle
Splunk Employee
Splunk Employee

While this is not the answer you are looking for, we are working through this to have a solution. PM me if you have any requirements / requests so I can bring them up on our internal meetings.

Intermediate
Path Finder

@amiracle I can't speak for @bishopolis but I expect most of us simply want Splunk to post public repos with Splunk software in RPM and DEB formats.

That way we can set up our automated mirrors/satellite to obtain the latest Splunk version and even patch Universal Forwarders without any human input.

Most other software we using in our Linux environment doesn't require us to manually log in and download updates every month (or so).

TomRStevenson
Engager

Very well stated.  That is all we are looking for as well.  Thanks!

Intermediate
Path Finder

Do you have an update on this please?
It would save my team manual work every month at least (more for urgent security updates).

The lack of public repos is particularly frustrating for Debian/Ubuntu clients. This is because I will have to set up my own signed repository just to distribute packages which were already signed by Splunk.

It is not possible to just drop the Splunk-signed packages on my apt-mirror, I have to sign the repository itself (or used unsigned packages!)

At least Red-Hat based OSes only require basic repo (and it can be imported in to Satellite 6 easily)

bishopolis
Path Finder

Fantastic! But don't be teasing us, now 😉

Soon as you have info I'd love to hear it -- of course!

halr9000
Motivator

We now have security announcements available via RSS feed. I'll mention this in the linked question also. See https://www.splunk.com/page/securityportal

Edit: I see that was already covered there.

kfiresmith
Engager

Sure but that's still treating Splunk content like a special snowflake. I just want to sync the damn rpms into our enterprise the way all the others happen. If even stuck-in-the-1990s Dell can manage, so can Splunk.

amiracle
Splunk Employee
Splunk Employee

One of the reasons that I heard why Splunk does not have a public repo is that as a part of the Terms of Service under Exhibit A, line 17:

Customer certifies that Customer is not on any of the relevant U.S. government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons or Entity List.

This is done by accepting the terms of service when a user logs in and downloads the software.

The solution is that users can create their own Yum Repo's and update them using the cURL command listed in the Download page for each version. Once you've setup your own private repo, then you can run yum install splunkforwarder -y and install your forwarder.

Here are the steps to create your own Custom YUM repo:

  • Install "createrepo" yum install createrepo
  • Create Repo Directory mkdir /splunkrepo
  • Put RPM into Repo Directory Get this link from the Splunk Download page under Useful Tools Download via Command Line (wget) wget -O SPLUNK.RPM https://www.splunk.com/bin/splunk/DownloadActivityServlet? mv /path/to/rpm /splunkrepo
  • Run "createrepo" createrepo /splunkrepo
  • Create Repo config file
    Example Repo File

    [splunkrepo]
    name=Splunk Software Repository
    baseurl=file:///splunkrepo/
    enabled=1
    gpgcheck=0

* Digital Ocean How-To

balajiswz
New Member

Is splunk considering any feature update to accommodate the yum repository instead of this individual downloads?

0 Karma

bishopolis
Path Finder
This is done by accepting the terms of service when a user logs in and downloads the software.

The solution is that users can create their own Yum [Repos] and update them using the cURL command listed in the Download page for each version. Once you've setup your own private repo, then you can run yum install splunkforwarder -y and install your forwarder.

It's trivially done by ensuring customers use their own custom credentials to access the repo, embedded in the yum repo URL.  This also provides excellent logging which I'm sure will be the next insurmountable micro-obstacle.

0 Karma

grangerx
Engager

HI all,

I'm not sure that the repo has to be publicly available to meet the purposes of the requester of this feature.

There are companies (RedHat and EnterpriseDB, for example) that offer authenticated YUM repositories that are not publicly accessible, but still allow their customers to download and manage their packages via YUM.

In that vein, here is a github repo that has a script that I wrote to perform a nightly download of the splunk-enterprise and splunk-universal-forwarder packages and generate a local YUM repo from them.

https://github.com/grangerx/splunk-yum-repo

I've been using it for a while, and it seems to get the job done in my case.

Note: You'll have to give it a splunk.com login for it to be able to download the packages in an authenticated manner.


Thanks,

GrangerX

0 Karma

TomRStevenson
Engager

The problem with the method you suggest is that you must supply all of the version information for the forwarder when doing the wget command, and there doesn't seem a simple way to automate providing this information.  For example, to get the current version of the forwarder (as of this writing), you need to execute:

wget -O splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'

How do you automate the "version=8.0.6" and "filename=splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm" values to be able to execute the "wget" command?

Michael
Contributor

Oh, that makes me feel better, I'm sure that Exhibit A, line 17 has done wonders in protecting us from Enemies of the State. I understand accepting it once, but on every update? On the Forwarders? Please. I bet you heard that from one of their lawyers... 😉

On a lighter note:
We have a private repo, and it works great for everything including the forwarder updates. The problem is that when the Splunk process restarts, it prompts for the license agreement and asks if you want to migrate the database. Yes, I'm aware of the switches we can use, but this can't be automated without some kind of post-processing (script). The upshot is, if we drop a Splunk update in our repos, and folks run 'yum update' across their enclave -- their Splunk instances don't restart -- and the only indication to me is that I notice I haven't seen a bunch of systems reporting in after after a while. With NIST 800-171 breathing down our necks (end-point log monitoring), that's not good.

Are you implying that you've done this, and you don't have that problem?

thanks,
Mike

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...