- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: 2 Splunk instance on Linux - passwd sync
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After setting up Load Balance on 2 mirrored Splunk instance I had 2 passwd files located locally on each instance in /opt/splunk/etc/passwd. To sync passwords among the 2 instances, I created a (Linux) symbolic link to a shared drive /opt/share/etc/passwd. However when I created a new account (on 1 instance), the symbolic link was lost and the file returned local status once more.
How do sync credentials (passwd) on all splunk instances so I don't have to create an account on each instance manually? LDAP is currently not an option as I don't have resources for that now.
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instance 1:
rsync -av $SPLUNK_HOME/etc/passwd /sharedfolder/splunk/passwd
Instance 2/3/...:
rsync -av /sharedfolder/splunk/passwd $SPLUNK_HOME/etc/passwd
Put these both in cron every 5 minutes (or so) and you should be good to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't you need to restart the servers every time the passwd file changes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instance 1:
rsync -av $SPLUNK_HOME/etc/passwd /sharedfolder/splunk/passwd
Instance 2/3/...:
rsync -av /sharedfolder/splunk/passwd $SPLUNK_HOME/etc/passwd
Put these both in cron every 5 minutes (or so) and you should be good to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do we need to restart the splunk instances for the passwords to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about rsync?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a quick review on rsync I found this example command:
rsync -avvr $SPLUNK_HOME/etc/system/local/ <$SPLUNK_HOME/etc/apps/>
What is the best way to rsync-ing it with existing shared folder? Is rsync both-way or one-way? My plan is to have additional instances in the future. I would still need to create an account via one instance.
The Idea would be to:
Instance 1 (Create accounts, transfer passwd to shared folder)
Instance 2 (receive copy of passwd from shared folder)
instance 3 (future - receive copy of passwd from shared folder)
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
