/cca_for_splunk

Ansible automation framework for Splunk

Primary LanguageShellMIT LicenseMIT

alt text

A full lifecycle management interface for Splunk

Ever wished you had a central interface to interact with all aspects of Splunk architecture and administration? Let's be honest, running Splunk is all about finding an efficient and scalable way to manage all .conf files and the other magic under the hood. At scale, the complexity often gives way to either speed or quality - if you don't find a way to automate it.

That is precisely what we've done for years, and now it's time to share how you can do it to. Our solution enables a full lifecycle management of Splunk using a Continuous Configuration Automation framework powered by Ansible.

Note

This is a free read-only open-source project, a fully working but limited and unsupported version based on the full enterprise solution hence the low amount of commits in this repo. For a better overview of all improvments check out release notes. For enterprise use, we recommend our subscription service which includes an expanded feature set, full end user support and optional premium extentions to expand the frameworks capabilities. For subscribing customers we also offer additional services including strategic advisory, implementation- and custom feature development projects.

Table of Contents

What is CCA for Splunk?

The templates that we provide for configuring Splunk roles are used in our own Multisite Cluster implementations. After you have configured your project, the control is in your hands when it comes to deciding your settings. Adding or modifying parameters has no impact on the framework and are localized under your control.

Playbooks are DRY (Don't Repeat Yourself), with almost no tasks - instead they are using common code in roles. So an update of a task has just to be done in one place, keeping code updates much cleaner and easier to overview.

You can find a more indepth Project Presentation as well as a Q&A section in the Wiki.

alt text

For a deep-dive in the technology behind CCA for Splunk please have a look at this documentation. Technical documentation.

Where does CCA for come from and who supports it?

The framework concept utilized in CCA for Splunk goes back several years and has proven to be absolutely critical in managing complex Splunk infrastructures with 100+ servers in several environments. 450+ tasks has been developed across 10 carefully created Ansible roles. We continuously invest hundreds of development hours for every release, so that you can get the scalability that you should expect out of a automation framework. Besides adding your servers to the ansible inventory file, there is less than 25 parameters that you have to set per environment - then off you go to much different Splunk journey going forward.

This is the free open-source version of this automation framework, a trickledown version from our premium option but with all features needed to administrate any size of Splunk environment.

Commercial version of CCA for Splunk?

CCA for Splunk is designed to be a companion tool for Splunk administrators in any type of Enterprise. As any tool, it requires a lot of competence from the user to wield effectively. For Splunk Enterprise or Splunk Cloud customers who want to start their automation journey with CCA for Splunk with support and additional enterprise functionality, we offer a complete package of both technology and supporting services in the CCA for Splunk Premium portfolio.

Visit our CCA for Splunk - Premium page and read more about who backs this project and what else you can do with CCA for Splunk.

Features

Open Source and Premium:

Feature Open Source Premium Premium Extension
Templates for Splunk validated Architectures
Server naming convention for all Splunk roles
Setup Wizard for environment creation
Automation Readiness helper
Management of All in one Servers
Management of Data Collection Nodes
Management of Deployment Servers
Management of Forwarders
Management of Hybrid Search Heads
Management of Index Clusters
Management of License Managers
Management of Monitoring Consoles
Management of Search Head Clusters
Management of Standalone Indexers
Management of Standalone Search Heads
Standard Data Onboarding
App deployment to all Splunk Roles
Rolling Splunk Enterprise Upgrade - Clusters
Upgrade Splunk Enterprise - Standalone servers
Configure Splunk to use self-signed Splunk certs
Deploy Manually created organization certs
Linux server configuration
Splunkd service creation with non-privileged user support
Setup of CCA Manager
Docker image with CCA for Splunk
Configure Splunk user profile
Number of supported environments ♾️ ♾️
Number of supported Index Clusters per environment 1️⃣ 9️⃣
Number of supported Search Head clusters per environment 2️⃣ 9️⃣
Framework Support from Orange Cyberdefense
Password and Secrets update in Setup Wizard
Management of Forwarder Groups
Management of Deployment Server Groups
Advanced Data Onboarding
Advanced App deployment to Cluster Managers
Advanced App deployment to Deployment Servers
Advanced App deployment to Search Head Clusters
Support for Orange Cyberdefense Extensions
Version control of Splunk Infrastructure changes
Version control of Splunk Data Onboarding changes
Framework upgrade support
Framework Knowledge training
Data onboarding Knowledge training
Access to submit issues
Access to pre-released
Access to development resources for custom demands
OS Disk setup and volume groups
Rolling OS upgrade with minimal disruption on Splunk ingest
Deployment of certificates retrieved by Certificate API service
Configuration of Splunk Enterprise Authentication
Cloud LCM for AWS
Cloud LCM for Azure
Splunk Cloud LCM
Solutions for IT Serivce Intelligence
Dev Ops LCM for Splunk Enterprise
Dev Ops LCM for Splunk ITSI
Dev Ops LCM for Splunk Cloud Platform
Dev Ops LCM for Github

How to get started

1: Plan your architecture

  • CCA for Splunk can deploy anything from standalone servers to multisite clusters, and up to 9 clusters in each environment, controlled by the same automation framework. A proper planning is key to define the type of architecture(s) that will be created, their environment, individual specifications and requirements.

2: Setup the CCA manager

  • The CCA manager is the host that orcastrates and manages the automation and configuration deployment. There are currently two ways to deploy the manager.
    1. Use the docker image for cca_for_splunk
    2. Setup the manager on a regular host and pull CCA for Splunk.

For more in depth information check this guide: Setup CCA Manager

3: Setup your environment
Watch the video to see the steps of setup manager before you continue.

cca_for_splunk Setup Wizard For more in depth information check this guide: Setup CCA Manager - Environment

4: Update ansible inventory and variables For more in depth information check this guide: Setup CCA Manager - Ansible configuration

5: Validate your environment variables

Before you start using CCA after an updating to a new release, run the playbook validate_cca_infrastructure_parameters.yml to verify that all files in your cca_splunk_infrastructure repo are up to date with the required versions in the CCA framework. The verification needs to run in check mode, see command below.

To run an infrastructure playbook:

cd ~/data/main/cca_splunk_infrastructure
./cca_ctrl -c

6: Configure environment using CCA If you have servers that is not yet setup for Splunk Enterprise, start by running the configure_linux_servers.yml playbook that will prepare the server with users, services and settings to install Splunk Enterprise on it. See README.md for cca.core.linux role.

When the server configuration is completed, run playbook for managing one of the architectures you want to setup.

If you are to install a multisite index and search head cluster. Start with configuring the index cluster using the playbook manage_index_clusters.yml before you run the playbook manage_searchhead_cluster.yml

7: Onboard data and apps

Now when your Splunk infrastructure is running smooth, it's time to onboard data and apps. Follow the documentation at cca.splunk.onboarding. When the apps and configuration are completed, run one of the deploy_* playbooks to deploy your apps to the destination server.

To run an onboarding playbook:

cd ~/data/main/cca_splunk_onboarding
./cca_ctrl -c

Note

Don't forget that we offer the service to setup and support CCA for you! Please check out our premium feature. CCA for Splunk - Premium