search

aws-quickstart / quickstart-splunk-enterprise

AWS Quick Start Team
Apache License 2.0
40 stars 47 forks source link

Broken with 7.1 #26

Closed mikegchambers closed 6 years ago

mikegchambers commented 6 years ago

After much messing around I have come to the conclusion that this QuickStart is broken for 7.1.

There are a number of issues which I started to fix, but my knowledge of Splunk is not good enough to offer pull request.

In summary the userdata scripts do not work with 7.1. If you are suffering the same issue, I would suggest running the March 2018 version of this script, or rolling your own.

Anyone wanting to carry on from where I left off....

/templates/splunk-enterprise.template Line 744 (and all others like it) are missing an escape char on the , should read this: (Although the issue does not seem to break anything)

"printf '%s\t%s\\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts\n",`

AND in the same file, to avoid the 'there is no admin user' issue, the following lines can be added after line 746 (and all other locations like it): (This will enable you to log in to your servers)

"printf '[user_info]\\nPASSWORD = changeme\\n' > $SPLUNK_HOME/etc/system/local/user-seed.conf\n"
"service splunk restart\n"

However, even after making these changes, while you can no log in, to the best of my knowledge, the clusters fail, and its far from working.

Good luck.

sshvans commented 6 years ago

@mikegchambers Thanks for reporting the issue. I'll take a look into it and get back to you.

AndyHuang1991 commented 6 years ago

also can't access splunk web with config password. So I roll back to March 2018's template and it works.

But in splunk web login page, it shows license expired. Is it because 60 day trial license is based on commit time of this script? i.e. if I use 2018 March version, it will expired at June?

Anyone can help me? Thanks a lot :)

mikegchambers commented 6 years ago

@AndyHuang1991 the first fix I outlined in my OP enables you to login with the password you set. If you know your way around Splunk there are other things you will need to fix from there on.

FWIW: I had no issues with licenses uploaded via S3.

The problem with the March 2018 template (as you probably know) is that it references v7.0.0.

mikegchambers commented 6 years ago

From further investigation I have suspicion that this bug is mostly related to changes in the AMI.

I am using ami-9808acfa (ap-southeast-2) which has a Splunk guid set by default which gets in the way when trying to build clusters (nodes can't join clusters when the master has the same guid). Its also has an AWS style local IP server name set which gets confusing.

I have created a fork with a fix, its not PR worthy but it works: https://github.com/mikegchambers/quickstart-splunk-enterprise

sshvans commented 6 years ago

@mikegchambers @AndyHuang1991 These issues have been fixed.