Wednesday, 7 November 2007

An alternate SMF manifest for Splunk

I recently deployed an enterprise licensed version of Splunk. When an enterprise license is installed Splunk requires users to login before they can start splunking. This protects the Splunk administration pages from anonymous users and removes the need to put Splunk behind an apache reverse proxy for protection.

In order to still be able to access Splunk via HTTP (TCP/IP port 80) or HTTPS (TCP/IP port 443) the SMF manifest I originally wrote needed to be modified to allow the splunk user to open TCP/IP ports less than 1024. This was achieved by adding the “net_privaddr” privilege to the method context in the manifest. The manifest also had to be changed so that Splunk no longer bound sockets to the loop-back address only and was directly accessible.

Once you have loaded this manifest and started Splunk you must initially connect to your splunk server via the web interface and configure it to listen on TCP/IP port 80 or enable SSL and have it listen on TCP/IP port 443. Then restart the service with “svcadm restart splunk”.

Download the complete Splunk SMF manifest. Note that it can be used with both the free and enterprise versions of Splunk.

No comments: