splunk / ansible-role-for-splunk

Splunk@Splunk's Ansible role for installing Splunk, upgrading Splunk, and installing apps/addons on Splunk deployments (VM/bare metal)
Apache License 2.0
147 stars 103 forks source link

Issues Installing Universal Forwarder #186

Closed RAD-Mixen closed 1 year ago

RAD-Mixen commented 1 year ago

My apologies if I'm just missing the whole idea on how I'm supposed to set the vars for using this repo to deploy the splunk universal forwarder. However it appears that even though I'm setting these vars for the following fields it appears that the tasks are not setting the license or something related to that. Thus not allowing the playbooks to set the system boot and causing it to error out.

My AWX Host: AWX 2.0.0 running Ansible core 2.14.1

Host I'm running the playbook against is an AlmaLinux 8.7 host.

vars I'm setting under group_vars / all.yml:

splunk_uri_ds: splunk_package_url_uf: https://download.splunk.com/products/universalforwarder/releases/9.0.4/linux/splunkforwarder-9.0.4-de405f4a7979-Linux-x86_64.tgz splunk_admin_username: custom splunkadmin splunk_admin_password: using ansible vault with awx splunk_license_group: Forwarder splunk_nix_user: splunk_nix_group: splunk_use_initd: false

I feel like I'm missing something that is staring me in the face again lol. But this is the error AWX is throwing at me: (This is in verbose )

TASK [ansible-role-for-splunk : Fail the play if the currently configured boot-start method does match the expected state or boot-start is not enabled] *** task path: /runner/requirements_roles/ansible-role-for-splunk/tasks/main.yml:130 fatal: [UF-test-02_4239728e-ca97-86d0-3e46-d40798c9719a]: FAILED! => {"changed": false, "msg": ["ERROR: Misconfiguration detected! Unable to proceed as handlers will fail in the play later.", "Either splunk boot-start is not enabled on this host, or its current boot-start method does not matched the expected value of splunk_use_initd/splunk_use_systemd.", "To correct this: Either run configure_splunk_boot.yml or update the value of splunk_use_initd/splunk_use_systemd in your group_vars."]}

When I log into this host and just run the $SPLUNK_HOME/splunk enable boot-start -systemd-managed 1 command it throws up the licensing screen. So that is why I'm suspecting something related to that being the issue with this.

But another thing that confuses me as well....is that when I try and use the default splunk nix user and group. The playbooks cannot get past setting permissions for that user on the /var/log/audit. However when I use root nix user and group it can, so this is why I feel like I'm missing something, or maybe not setting up something correctly?