splunk_universal_forwarder.yaml
---

EC2 Basic CloudFormation Deployment

This CloudFormation template will deploy a single EC2 instance That will install and run the Splunk Universal Forwarder

Configuration files are kept in an S3 bucket

It will also mount the PeopleSoft EFS mounts where the logs are kept. The ISO office splunk deployment server should be where all the configuration for what logs to take is kept.

AWSTemplateFormatVersion: "2010-09-09"

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: KeyName: Description: Amazon EC2 Key Pair to be used to SSH in Type: AWS::EC2::KeyPair::KeyName S3BucketName: Description: 'Disaster Recovery Bucket Name' Type: String Default: "peoplesoft-iso-splunk-nonprod" HREFSStackName: MinLength: '2' Type: String Description: Name of the HR EFS CloudFormation Stack Default: PeopleSoftHR-EFS ELEFSStackName: MinLength: '2' Type: String Description: Name of the EL EFS CloudFormation Stack Default: PeopleSoftEL-EFS SAEFSStackName: MinLength: '2' Type: String Description: Name of the SA EFS CloudFormation Stack Default: PeopleSoftSA-EFS InstanceSubnet: Description: Private Subnet Type: AWS::EC2::Subnet::Id InstanceType: Description: "EC2 Instance Type" Type: String Default: "t3.micro" AllowedValues: - "t3.micro" - "m5.small" - "m5.medium" AmazonLinuxAmi: Type : AWS::SSM::Parameter::Value<String> Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 Description: Amazon Linux Latest AMI ID AllowedValues: - /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. Default: "splunk" EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: prd ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. Default: "shaloo" AccountNumberTag: Type: String Description: Identifies the financial system account number. SubAccountTag: Type: String Description: Identifies the financial system account number. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource. Default: "MEM-20794"

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Instance Settings Parameters: - KeyName - VPCID - HREFSStackName - ELEFSStackName - SAEFSStackName - InstanceSubnet - S3BucketName - Label: default: Tags Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - SubAccountTag - TicketNumberTag ParameterLabels: ServiceTag: default: "Service Name:" EnvironmentTag: default: 'Environment Type:' ContactNetidTag: default: 'Contact NetID:' AccountNumberTag: default: 'Financial Account Number:' SubAccountTag: default: 'Sub Account Name:' TicketNumberTag: default: 'Ticket Number:'

Resources

This is the EC2 instance deployed by the template.

Resources:

EC2 Instance

Deploys the EC2 instance with some tags.

Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref AmazonLinuxAmi KeyName: !Ref KeyName InstanceType: !Ref InstanceType IamInstanceProfile: !Ref EnvInstanceProfile SecurityGroupIds: - !Ref InstanceSecurityGroup - Fn::ImportValue: !Sub "${HREFSStackName}-target-sg" - Fn::ImportValue: !Sub "${ELEFSStackName}-target-sg" - Fn::ImportValue: !Sub "${SAEFSStackName}-target-sg" SubnetId: !Ref InstanceSubnet Tags: - Key: "Name" Value: "ISO Splunk Logs Agent" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubAccountTag - Key: ticketnumber Value: !Ref TicketNumberTag UserData: Fn::Base64: !Sub - | #!/bin/bash -e

Basic Updates

sudo yum update -y sudo yum install -y git vim telnet

Make sure the AWS cli is up to date

sudo pip install awscli --upgrade

Mount the EFS volumes where the logs reside so we can send them to splunk

mkdir -p /hr mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 "${hrefsid}.efs.${AWS::Region}.amazonaws.com:/" /hr mkdir -p /el mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 "${elefsid}.efs.${AWS::Region}.amazonaws.com:/" /el mkdir -p /sa mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 "${saefsid}.efs.${AWS::Region}.amazonaws.com:/" /sa

download the Universal Forwarder

aws s3 cp s3://${S3BucketName}/splunkforwarder-7.2.7-f817a93effc2-linux-2.6-x86_64.rpm .

Install the UF which will: Create a splunk User installs into /opt/splunkforwarder

rpm -i splunkforwarder-7.2.7-f817a93effc2-linux-2.6-x86_64.rpm #create directories needed sudo -u splunk mkdir -p "/opt/splunkforwarder/etc/system/local/"

download the files from S3

sudo -u splunk aws s3 cp s3://${S3BucketName}/deploymentclient.conf /opt/splunkforwarder/etc/system/local/deploymentclient.conf sudo -u splunk aws s3 cp s3://${S3BucketName}/user-seed.conf /opt/splunkforwarder/etc/system/local/user-seed.conf sudo -u splunk aws s3 cp s3://${S3BucketName}/server.conf /opt/splunkforwarder/etc/system/local/server.conf #start splunk sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license sudo -u splunk /opt/splunkforwarder/bin/splunk stop #Make sure splunk starts up if the server is rebooted chown -R splunk:splunk /opt/splunkforwarder/* /opt/splunkforwarder/bin/splunk enable boot-start -user splunk service splunk start - hrefsid: Fn::ImportValue: !Sub "${HREFSStackName}-fs-id" elefsid: Fn::ImportValue: !Sub "${ELEFSStackName}-fs-id" saefsid: Fn::ImportValue: !Sub "${SAEFSStackName}-fs-id" SecurityGroupIds: - !Ref InstanceSecurityGroup - Fn::ImportValue: !Sub "${SAEFSStackName}-target-sg" - Fn::ImportValue: !Sub "${ELEFSStackName}-target-sg" - Fn::ImportValue: !Sub "${HREFSStackName}-target-sg"

Instance Security Group

Security group for the EC2 instance, that allows you to SSH into the instance

InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Allow ssh to client host" VpcId: !ImportValue peoplesoft-vpc-vpcid SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 10.138.2.0/24 Description: Mosaic VPN-1 - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 150.135.241.0/24 Description: Mosaic VPN-2 - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 150.135.112.0/24 Description: InfraDev VPN Tags: - Key: "Name" Value: "iso splunk instance Security Group" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubAccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Instance Role

This is the IAM role that will be applied to the EC2 Instance. Any AWS specific permissions that the node might need should be defined here.

EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com - ssm.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

Instance Profile

This is just a little construct to connect a set of roles together into a profile. The profile is referenced by the EC2 Instance.

EnvInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref EnvInstanceRole

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: InstanceID: Description: "The Instance ID" Value: !Ref "Ec2Instance"