austincloudguru.splunk_forwarder

Panoramica Versioni Approfondimenti

Ansible Role: splunk-forwarder

Molecule Latest Version License

This role installs the Splunk universal forwarder.

Requirements

This role has been tested on Ubuntu 22.04 & 20.04, Oracle Linux 8 & 9, Amazon Linux 2023, and Debian 12. It should work on any system that uses systemd. You can find the previous version of this role as a tag (v1.0).

Role Variables

Default

The default settings will likely work for most users, but you can change them if needed. Here are the main variables:

  • splunk_forwarder_user: Default User (splunk)
  • splunk_forwarder_group: Default Group (splunk)
  • splunk_forwarder_uid: Default User ID (10011)
  • splunk_forwarder_gid: Default Group ID (10011)
  • splunk_release: Default Release Version (7.1.3)
  • splunk_url: Default Download URL
  • splunk_forwarder_rpm: Default Splunk RPM Name
  • splunk_forwarder_deb: Default Splunk Deb Name
  • splunk_rpm: Full URL for RPM
  • splunk_deb: Full URL for Deb
  • splunk_deb_checksum: Checksum for Deb
  • splunk_rpm_checksum: Checksum for RPM
  • splunk_forwarder_input_blacklist: Default blacklist for inputs.conf
  • splunk_forwarder_manage_inputs: Manage inputs.conf (true)
  • splunk_forwarder_manage_outputs: Manage outputs.conf (true)
  • splunk_forwarder_install_with_package_manager: Use a package manager (false)
  • splunk_forwarder_packages: Package manager packages ([splunkforwarder])
  • splunk_forwarder_cpu_shares: CPU shares for startup file
  • splunk_forwarder_memory_limits: Memory limits for startup file

Playbook Variables

In your playbook, set these variables:

  • splunk_forwarder_admin_user: Administrative user for the forwarder
  • splunk_forwarder_admin_pass: Administrative password for the forwarder
  • splunk_forwarder_depl_server: URL:Port of your Splunk deployment server (e.g., "splunk-mgt:8089") (optional)
  • splunk_forwarder_indexer: URL:PORT of your Splunk indexer (e.g., "splunk-indexer:9997")
  • splunk_forwarder_index: The index the forwarder should use (e.g., "default")
  • splunk_forwarder_sourcetype: The Source type (e.g., "nginx")

You also need to specify which logs to forward in a list:

  • splunk_forwarder_logs:
    • /var/log/nginx/access.log
    • /var/log/nginx/error.log

Dependencies

You need to have a Splunk indexer running in your environment.

Example Playbook

In your playbook, define the required variables and call the role:

- hosts: nginx
  remote_user: ec2-user
  become: True
  vars:
    splunk_forwarder_indexer: "splunk-indexer:9997"
    splunk_forwarder_index: "prodapps"
    splunk_forwarder_sourcetype: "nginx"
    splunk_forwarder_logs:
      - /var/log/nginx/access.log
      - /var/log/nginx/error.log
  roles:
    - splunk-forwarder

For Amazon Linux instances, add this to your playbook to avoid errors:

 pre_tasks:
   - set_fact: ansible_distribution_major_version=6
     when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"

License

MIT

Author Information

Mark Honomichl, also known as AustinCloudGuru. Created in 2016.

Informazioni sul progetto

Installs the Splunk Forwarder

role splunk splunkforwarder
Installa
ansible-galaxy install austincloudguru.splunk_forwarder
GitHub repository
30 stelle
34 fork
0 problemi aperti
Licenza
mit
Download
5.1k
Proprietario