ZachChristensen28/TA-pihole_dns

HF configuration

Closed this issue · 1 comments

michaelw commented

Is your feature request related to a problem? Please describe.
I have a multi-site setup with per site a Heavy Forwarder and multiple piholes each. However, only the HFs can reach the site-local pihole APIs. Also, the HFs are headless, i.e., no web UI.

Is there recommended configuration to push to HFs to allow them to query the pihole API? (i.e., endpoint, API tokens, ...)? Ideally, this is automatable in some form, rather than logging into each site's HF.

Describe the solution you'd like
Currently, I have configuration pushed to these Splunk entities:

  • pihole app to Splunk stack (single site/cloud)
  • UF on each pihole, scraping logs

Desired:

  • (per site) HF configuration to query pihole APIs

Happy to test configuration and contribute documentation, once the path is clear.

ZachChristensen28 commented

This should be able to be accomplished through configurations files but I have not tested it.

Example:

This example will demonstrate the use of the Splunk deployment server to manage configurations across the HFs, however, another configuration management tool can be used.

Process Overview:

  1. Generate configurations using Splunk web.
  2. Copy configurations to new deployment app.
  3. Update passwords.
  4. Push configurations to HFs.

Generate configurations using Splunk web

  1. Using Splunk web with the Pihole DNS add-on installed, create the account and inputs. Don't worry if this is not the server that can reach the Pi-hole server. The generated configurations will be used as a template that will then be pushed using the deployment server.
  2. Open the CLI for the server where the above configurations were created through the web.
  3. Navigate to $SPLUNK_HOME/etc/apps/TA-pihole_dns/local. These configurations will be used in the upcoming steps.

Copy configurations to new deployment app

The following steps will be performed on the Splunk deployment server

  1. Copy the TA-pihole_dns add-on to $SPLUNK_HOME/etc/deployment-apps and delete the subdirectory named "local".
  2. Create a new "app" in $SPLUNK_HOME/etc/deployment-app that will contain the generated inputs. This example will use the app name of site1_pihole_inputs. Create a sub-directory called "local."
  3. From the previous section "Generate configurations using Splunk web," copy each file to this newly created directory ($SPLUNK_HOME/etc/deployment-apps/site1_pihole_inputs/local/).
  4. Ensure that the inputs.conf includes only the inputs for the pihole-server you wish to pull configurations from. In this case, it is my "site1" pihole server.

Update Passwords

This step requires a CLI session to both the Deployment server and the HF that will recieve the created configuration "site1_pihole_inputs"

  1. On the deployment server, if you open $SPLUNK_HOME/etc/deployment-apps/site1_pihole_inputs/local/passwords.conf you will notice a two encrypted passwords. These passwords will need to be updated so that the HF can understand them. Currently, only the deployment server can decrypt these passwords since each Splunk server uses a different salt value when hashing passwords. Notice that one of the passwords is much longer than the other.

  2. Copy the longer password and decrypt is using the following command: splunk show-decrypted --value 'long-password-here'. Be sure to wrap the password in single quotes. The output from the command will look similar to the following:

    ``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``

  3. Copy this output and move on to the next step

  4. Open the CLI to the HF.

  5. Run the following command to encrypt the output in a format the HF can understand: splunk show-encrypted --value 'paste_output_here'.

  6. You will then use the new output from this command in the site1_pihole_inputs passwords.conf file. Be sure to replace the longer password that we decrypted in the first step. Next we will update the other (shorter) password.

  7. Note this step requires to type the plain-text verion of your API-key in the command line: run the command splunk show-encrypted --value '{"api_key": "your_api_key_here"}'. Replace your_api_key_here with your API key. This will then print out a new password.

  8. Similar to before, replace the shorter password in passwords.conf with this new password.

Push Configurations to HFs

By now, you should have a new "app" with an updated passwords.conf file. Now the deployment server can be used to push apps to the correct HF to begin collecting inputs.

  1. On the deployment server UI, Create a new serverclass that will deploy the TA-pihole_dns add-on to all HFs.
  2. Next create another serverclass for the site 1 HF that will contain the new app. Make sure to only include the HF as a client that will use the "site1_pihole_inputs" app. Also ensure that splunkd restarts upon installation.

Complete

Once complete, you should see results come in to Splunk. This was an example for site 1, for each additional site repeat these steps.

These steps are advanced and may be unclear. Please respond with clarification questions and note that this is not a tested method beyond a development instance.