I've seen http://answers.splunk.com/questions/345/does-splunk-play-nice-with-puppet and there is a Puppet manifest in the answer but the manifest doesn't address some of the entries in it.
The question is: What is the purpose of the files in $SPLUNK_HOME/etc/auth? Many of them are explained by http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl but some are still not explained.
On a new Splunk 4.1.5 installation that was turned into a light forwarder I have these files in $SPLUNK_HOME/etc/auth
.:
total 36
drwx--x--x 2 root root 4096 Oct 14 14:18 audit
-r--r--r-- 1 splunk splunk 912 Sep 4 05:53 cacert.pem
-r--r--r-- 1 splunk splunk 1875 Sep 4 05:53 ca.pem
-rw------- 1 root root 17 Oct 14 14:30 ca.srl
drwx--x--x 2 root root 4096 Oct 14 14:18 distServerKeys
-rw------- 1 root root 951 Oct 14 14:30 privkeySecure.pem
-rw------- 1 root root 595 Oct 14 14:30 req.pem
-rw------- 1 root root 2689 Oct 14 14:30 server.pem
-r-------- 1 root root 255 Oct 14 14:30 splunk.secret
./audit:
total 8
-rw------- 1 root root 887 Oct 14 14:18 private.pem
-rw------- 1 root root 272 Oct 14 14:18 public.pem
./distServerKeys:
total 8
-rw------- 1 root root 887 Oct 14 14:18 private.pem
-rw------- 1 root root 272 Oct 14 14:18 trusted.pem
What is the function of each file listed and which of them can (and should) be omitted from a forwarder?
I've come up with a Puppet class to do just this: https://github.com/TransGaming/puppet/tree/master/splunk
I've come up with a Puppet class to do just this: https://github.com/TransGaming/puppet/tree/master/splunk
You should synchronize the whole auth directory for consistency. Those files are their for the ssl communication and password configuration. As the other Splunk Answers question and answer states, you should also sync the etc/system/local/server.conf and the etc/passwd file.