The splunk and syslog-ng manifests are intended to be used together. The syslog-ng and splunk services depend on a FIFO existing at /var/log/splunk-syslog. In my environment I have syslog-ng accepting syslog messages, filtering them, and writing to the FIFO and splunk reading from it. You may remove this dependency if you wish.
I also have splunk binding to 127.0.0.1 with an environment variable being set in the manifest. Remove the following from the manifest if you wish to have splunk directly accessible:
<method_environment>
<envvar name="SPLUNK_BINDIP" value="127.0.0.1"/>
</method_environment>
I do this to limit access to the splunk admininstrator interface via an apache reverse proxy. The apache configuration snippet to achieve this is included below. Add apache Allow statements to those who you trust to access the administrator interface.
# Reverse Proxy for splunk listening on localhost:8000
ProxyRequests Off
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
# Don't allow access to /admin/ which allows people to upload log files
# and tail any file on the server.
<Location /admin/>
Order Deny,Allow
Deny from all
# Add allow statements here
</Location>
Update: Here are the same ISC dhcpd, splunk and syslog-ng manifests now hosted in my new Google Code repo. I expect these to be more up to date than the opensolaris.org hosted copies.
2 comments:
Hi,
Great work on providing these manifests.
Could you please update the DHCPD manifest so the leases file is in /var/db/dhcpd.leases (where the current version of dhcpd from Sunfreeware expects it to be)?
Cheers,
@Jazz: Thanks. I'll leave it as is. I don't use the Sunfreeware version but feel free to customize it for your environment.
Post a Comment