Friday, 9 March 2007

SMF manifests for ISC dhcpd, splunk and syslog-ng

I recently had a couple of SMF manifests listed on the Open Solaris SMF Community web site. The manifests are for ISC dhcpd, splunk 2.1/2.2, and syslog-ng.

The splunk and syslog-ng manifests are intended to be used together. The syslog-ng and splunk services depend on a FIFO existing at /var/log/splunk-syslog. In my environment I have syslog-ng accepting syslog messages, filtering them, and writing to the FIFO and splunk reading from it. You may remove this dependency if you wish.

I also have splunk binding to with an environment variable being set in the manifest. Remove the following from the manifest if you wish to have splunk directly accessible:

<envvar name="SPLUNK_BINDIP" value=""/>

I do this to limit access to the splunk admininstrator interface via an apache reverse proxy. The apache configuration snippet to achieve this is included below. Add apache Allow statements to those who you trust to access the administrator interface.

# Reverse Proxy for splunk listening on localhost:8000
ProxyRequests Off
<Proxy *>
Order Deny,Allow
Allow from all
ProxyPass /
ProxyPassReverse /
# Don't allow access to /admin/ which allows people to upload log files
# and tail any file on the server.
<Location /admin/>
Order Deny,Allow
Deny from all
# Add allow statements here

Update: Here are the same ISC dhcpd, splunk and syslog-ng manifests now hosted in my new Google Code repo. I expect these to be more up to date than the hosted copies.


Jazz said...


Great work on providing these manifests.

Could you please update the DHCPD manifest so the leases file is in /var/db/dhcpd.leases (where the current version of dhcpd from Sunfreeware expects it to be)?


matthew said...

@Jazz: Thanks. I'll leave it as is. I don't use the Sunfreeware version but feel free to customize it for your environment.