Deploying Hardened Splunk with Ansible
Just finished 2 blog post on the Splunk blog which covers how to get started with Ansible and deploy harden Splunk instances. Also dive I into how to deploy and manage multiple custom Splunk environment in AWS using Ansible.
- Common — copies keys over, install basic utils (screen,vim etc.), hardens server (by installing rkhunter,chkrootkit,clamav and cronjobs to run them)
- Search Head — install a splunk search head, changes default password, hardens splunk web, among other things, runs as splunk user
- Indexer — install a splunk indexer, copies over indexes, and certs/key of secure comms
- Universal Forwarder — install a UF, deploy inputs.conf and outputs.conf
How to scale it on AWS with multiple Splunk instances, ultimately manage it as a service (Part 2). In part two the way we inventory Ansible changes from a static host file to a dynamic inventory fed out of AWS instances. Due to this it has its own github repo.