Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Removed OpenVPN & Qcompliance veribiage

Jeremy Cooper [AFS MBP] 3 years ago
parent
a855d2af8f
commit
50898e9933
4 changed files with 43 additions and 84 deletions
Split View Show Diff Stats
  1. 2 2
      OpenVPN Notes.md
  2. 25 33
      Patching Notes.md
  3. 14 47
      Sensu Go Upgrade Notes.md
  4. 2 2
      Splunk Upgrade Notes.md

+ 2 - 2
OpenVPN Notes.md
View File 

@@ -1,6 +1,6 @@
 
-#  OpenVPN Notes - will be updated after server is terminated.
 
+#  OpenVPN Notes - Server Terminated on May 23, 2022. 
 
-### NOTE: OpenVPN decommissioned on March 25, 2022; replaced with AWS VPN
 
+## NOTE: OpenVPN decommissioned on March 25, 2022; replaced with AWS VPN
 
 
 See [AWS VPN Notes](AWS%20VPN%20NOTES.md)

+ 25 - 33
Patching Notes.md
View File 

@@ -5,14 +5,17 @@
 
 * Send email ~ 1 week before.
 
 * Give 15 minute warning in the Slack [#xdr-patching](https://afscyber.slack.com/archives/CJ462RRBM), [#xdr-content-aas](https://afscyber.slack.com/archives/C010NEX6X1N), [#xdr-soc Channel](https://afscyber.slack.com/archives/CFUP7STE2), [#xdr-engineering Channel](https://afscyber.slack.com/archives/CFTJSTGDB) channels, etc before patching
 
 
+---
 
 ## Patching Process
 
 
 [Day 1](#Day-1-Wednesday)  
 [Day 2](#Day-2-Thursday)   
-[Day 3](#Day-3-Monday)
 
+[Day 3](#Day-3-Monday)  
 [Day 3-afternoon](#Day-3-Monday-afternoon)   
 [Day 4](#Day-4-Tuesday)
 
 
+---
 
+
 
 Each month the AWS `GovCloud(GC) TEST/PROD` environments must be patched to comply with FedRAMP requirements. This wiki page outlines the process for patching the environment. 
 
 Email Template that needs to be sent out prior or create a Calendar event for patching and email addresses of individuals who should get the invite. 
@@ -58,7 +61,7 @@ Tuesday <INSERT MONTH> 17:
 
  
 The customer and user impact will be during the reboots so they will be done in batches to reduce our total downtime.
 
 ```
 
-
 
+---
 
 ## Detailed Steps (Brad's patching)
 
 
 ## HEY BRAD: READ ME!
 
@@ -71,7 +74,7 @@ It's safe to run on `*` and will remove any RHEL registration (or warnings about
 
 
 **Reminder** - The legacy `Reposerver` was shutdown in late February 2021, so consider it a suspect if you have issues.
 
 
-
 
+---
 
 ### Day 1 (Wednesday)
 
 
 Patch `GC TEST` first! This helps find problems in `TEST` and potential problems in `PROD`. Test is shutdown to save on costs:
 
@@ -99,13 +102,13 @@ FYI, patching today.
 
 Starting with Moose and Internal infra patching within `GC TEST`. Check disk space for potential issues. Return here to start on PROD after TEST is patched. 
 ```
 
 # Test connectivity between Salt Master and Minions
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or qcompliance* or openvpn* )' test.ping --out=txt
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* )' test.ping --out=txt
 
 
 # Fred's update for df -h - checks for disk utilization at the 80-90% area
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or qcompliance* or openvpn* )' cmd.run 'df -h | egrep "[890][0-9]\%"'
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* )' cmd.run 'df -h | egrep "[890][0-9]\%"'
 
 
 # Review packages that will be updated. Some packages are versionlocked (Collectd, Splunk, Teleport, etc.).
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or qcompliance* or openvpn* )' cmd.run 'yum check-update'
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* )' cmd.run 'yum check-update'
 
 ```
 
 
 <!-- ```
 
@@ -116,13 +119,10 @@ salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib
 
 salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* )' cmd.run 'df -h' 
 
 ``` -->
 
-> :warning: **OpenVPN decommissioned on March 25, 2022; replaced with AWS VPN. Omit OpenVPN Commands.**
 
-
 
-See [AWS VPN Notes](AWS%20VPN%20NOTES.md)
 
 
-### Also, the phantom_repo pkg wants to upgrade, but we are not ready. Let's exclude that.
 
+### Also, the `phantom_repo` pkg wants to upgrade, but we are not ready. Let's exclude that.
 
 ```
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or openvpn* or vmray* or resolver-vmray* or phantom-0* or qcompliance* )' pkg.upgrade
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or phantom-0* )' pkg.upgrade
 
 
 # update phantom, but exclude the phantom repo. 
 salt -C 'phantom-0*' pkg.upgrade disablerepo='["phantom-base",]'
 
@@ -152,17 +152,13 @@ salt vmray* cmd.run 'systemctl start vmray-server vmray-worker'
 
 5. Reboot the Server (later? or now?) wait until all servers get rebooted.
 
 ```
 
 
-<!-- ```
 
-### Now Patch OpenVPN server and monitor during process in case any issues occur; ie, you get kicked off of VPN, etc.
 
-`salt -C 'openvpn*' pkg.upgrade`
 
-``` -->
 
-
 
 #### What about threatq? Ask Duane! It needs special handling. 
 
 ### Run it again to make sure nothing got missed. 
 ```
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or phantom-0* or qcompliance* )' pkg.upgrade
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or resolver-vmray* or phantom-0* )' pkg.upgrade
 
 ```
 
+---
 
 
 > :warning: After upgrades check on Portal to make sure it is still up. 
 
@@ -176,9 +172,12 @@ date; salt 'customer-portal*' cmd.run 'systemctl restart docker'
 
 
 Portal Notes are here for further Troubleshooting if necessary: [Portal Notes](Portal%20Notes.md)
 
 
+---
 
 #### Patch CaaSP
 
 See [Patch CaaSP instructions](Patching%20Notes--CaaSP.md)
 
 
+---
 
+
 
 #### Troubleshooting
 
 
 Phantom error
 
@@ -232,13 +231,6 @@ yum install yum-utils
 
 package-cleanup --oldkernels --count=1 -y
 
 ```
 
 
-<!-- ```
 
-If VPN server stops working, 
-Try a stop and start of the VPN service ([OpenVPN Notes](OpenVPN%20Notes.md)). The private IP will probably change. 
-
 
-``` -->
 
-
 
-
 
 #### ISSUE: Salt-minion doesn't come back and has this error
 
 ```
 
 /usr/lib/dracut/modules.d/90kernel-modules/module-setup.sh: line 16: /lib/modules/3.10.0-957.21.3.el7.x86_64///lib/modules/3.10.0-957.21.3.el7.x86_64/kernel/sound/drivers/mpu401/snd-mpu401.ko.xz: No such file or directory
 
@@ -246,7 +238,7 @@ Try a stop and start of the VPN service ([OpenVPN Notes](OpenVPN%20Notes.md)). T
 
 
 RESOLUTION: Manually reboot the OS, this is most likely due to a kernal upgrade.  
 
-
 
+---
 
 ### Day 2 (Thursday)
 
 
 #### Step 1 of 4 (Day 2): Reboot Internals 
@@ -287,15 +279,15 @@ watch "salt -C 'vault-3* or sensu*' test.ping --out=txt"
 
 
 Reboot majority of servers in `GC Test`.
 
 ```
 
-salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or openvpn* or qcompliance* or rhsso-0* )' test.ping --out=txt
 
-date; salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or openvpn* or qcompliance* or rhsso-0* )' system.reboot --async
 
+salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or rhsso-0* )' test.ping --out=txt
 
+date; salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or rhsso-0* )' system.reboot --async
 
 ```
 
 > :warning: 
 ### You will lose connectivity to Salt Master
 
 ### Log back in and verify they are back up
 
 
 ```
 
-watch "salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or openvpn* or qcompliance* or rhsso-0* )' cmd.run 'uptime' --out=txt"
 
+watch "salt -C '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or resolver* or sensu* or threatq-* or vmray-* or vault-3* or rhsso-0* )' cmd.run 'uptime' --out=txt"
 
 ```
 
 
 Take care of the govcloud Resolvers one at a time. The vmray can be combined with one of the govcloud ones. 
@@ -315,10 +307,10 @@ salt -C  '*com not ( modelclient-splunk-idx* or moose-splunk-idx* or threatq-* o
 
 ```
 
 ### Duane Section (feel free to bypass)
 
 --
 
-I (Duane) did this a little different.  Salt-master first, then openvpn, then everything but resolvers. Resolvers reboot one at a time. 
+I (Duane) did this a little different.  Salt-master first, then everything but resolvers. Resolvers reboot one at a time. 
 
 ```
 
-salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or openvpn* or qcomp* or salt-master* or moose-splunk-indexer-* or resolver* )' cmd.run 'shutdown -r now'
 
+salt -C '* not ( afs* or nga* or dc-c19* or la-c19* or qcomp* or salt-master* or moose-splunk-indexer-* or resolver* )' cmd.run 'shutdown -r now'
 
 ```
 
 --
 
 
@@ -358,16 +350,16 @@ watch "salt -C 'vault-1*com or sensu*com' test.ping --out=txt"
 
 
 Reboot majority of servers in GC. 
 ```
 
-salt -C  '*com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com or qcompliance* or vmray-worker* or openvpn* )' test.ping --out=txt
 
+salt -C  '*com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com or vmray-worker* )' test.ping --out=txt
 
 
-date; salt -C  '*com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com or qcompliance* or vmray-worker* or openvpn* )' system.reboot --async
 
+date; salt -C  '*com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com or vmray-worker* )' system.reboot --async
 
 ```
 
 > :warning:
 
 ### You will lose connectivity to Salt master
 
 ### Log back in and verify they are back up
 
 
 ```
 
-watch "salt -C  '*accenturefederalcyber.com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com or qcompliance* )' cmd.run 'uptime' --out=txt"
 
+watch "salt -C  '*accenturefederalcyber.com not ( afs* or nga* or dc-c19* or la-c19* or dgi-* or moose-splunk-idx* or modelclient-splunk-idx* or bas-* or frtib* or ca-c19* or resolver* or vault-1*com or sensu*com )' cmd.run 'uptime' --out=txt"
 
 ```
 
 
 Take care of the resolvers one at a time and with the `GC Prod Salt Master`. Reboot one of each at the same time.

+ 14 - 47
Sensu Go Upgrade Notes.md
View File 

@@ -54,16 +54,15 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 6. `GC Test` first; `GC PROD` second; From target servers; clean out the cache
 
     ```
 
     # XDR Infrastructure - be sure to note the different Salt minions to target between TEST and PROD
 
-    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum clean all && yum makecache fast'
 
+    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum clean all && yum makecache fast'
 
 
     # From target servers; view the available packages
 
-    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum --disablerepo="*" --enablerepo="msoc" list available'
 
-
 
+    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum --disablerepo="*" --enablerepo="msoc" list available'
 
 
     # Customer Slices Search Heads Only
 
-    salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'yum clean all && yum makecache fast'
 
+    salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'yum clean all && yum makecache fast'
 
 
-    salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'yum --disablerepo="*" --enablerepo="msoc" list available'
 
+    salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'yum --disablerepo="*" --enablerepo="msoc" list available'
 
 
     # Customer Slices Cluster masters and Heavy Forwarders 
     salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'yum clean all && yum makecache fast'
 
@@ -103,9 +102,9 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 7. Verify and then Stop agent on minions `systemctl stop sensu-agent`
 
     ```
 
     # XDR Infrastructure 
-    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'sensu-agent version'
 
+    salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'sensu-agent version'
 
     
-    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl stop sensu-agent'
 
+    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl stop sensu-agent'
 
 
     # LCPs
 
     salt -C '* not *.local not *.pvt.xdr.accenturefederalcyber.com' cmd.run 'sensu-agent version'
 
@@ -118,23 +117,11 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
     date; salt -C 'afs*local or afs*com or ma-*com or la-*com or nga*com or nga*local or dc*com or bas-*com or frtib*com or ca-c19*com or dgi*com' cmd.run 'systemctl stop sensu-agent'
 
 
     # Customer Slices Search Heads Only
 
-    date; salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'systemctl stop sensu-agent'
 
-
 
-    salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'yum update -y sensu-go-agent'
 
-
 
-    salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'systemctl daemon-reload'
 
-
 
-    date; salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'systemctl start sensu-agent'
 
+    date; salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'systemctl stop sensu-agent'
 
 
     # Customer Slices Cluster masters and Heavy Forwarders 
     date; salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'systemctl stop sensu-agent'
 
 
-    salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'yum update -y sensu-go-agent'
 
-
 
-    salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'systemctl daemon-reload'
 
-
 
-    date; salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'systemctl start sensu-agent'
 
-
 
     # Customer Slices Indexers
 
     
     # us-east-1a
 
@@ -142,42 +129,22 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 
     date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1a or G@ec2:placement:availability_zone:us-gov-east-1a ) not moose*' cmd.run 'systemctl stop sensu-agent'
 
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1a or G@ec2:placement:availability_zone:us-gov-east-1a ) not moose*' cmd.run 'yum update -y sensu-go-agent'
 
-
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1a or G@ec2:placement:availability_zone:us-gov-east-1a ) not moose*' cmd.run 'systemctl daemon-reload'
 
-
 
-    date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1a or G@ec2:placement:availability_zone:us-gov-east-1a ) not moose*' cmd.run 'systemctl start sensu-agent'
 
-
 
-
 
     # us-gov-east-1b
 
     salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1b or G@ec2:placement:availability_zone:us-gov-east-1b ) not moose*' test.ping --out=txt
 
     
     date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1b or G@ec2:placement:availability_zone:us-gov-east-1b ) not moose*' cmd.run 'systemctl stop sensu-agent'
 
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1b or G@ec2:placement:availability_zone:us-gov-east-1b ) not moose*' cmd.run 'yum update -y sensu-go-agent'
 
-
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1b or G@ec2:placement:availability_zone:us-gov-east-1b ) not moose*' cmd.run 'systemctl daemon-reload'
 
-
 
-    date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1b or G@ec2:placement:availability_zone:us-gov-east-1b ) not moose*' cmd.run 'systemctl start sensu-agent'
 
-
 
-
 
     # us-gov-east-1c
 
     salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1c or G@ec2:placement:availability_zone:us-gov-east-1c ) not moose*' test.ping --out=txt
 
 
     date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1c or G@ec2:placement:availability_zone:us-gov-east-1c ) not moose*' cmd.run 'systemctl stop sensu-agent'
 
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1c or G@ec2:placement:availability_zone:us-gov-east-1c ) not moose*' cmd.run 'yum update -y sensu-go-agent'
 
-
 
-    salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1c or G@ec2:placement:availability_zone:us-gov-east-1c ) not moose*' cmd.run 'systemctl daemon-reload'
 
-
 
-    date; salt -C '*splunk-i* and ( G@ec2:placement:availability_zone:us-east-1c or G@ec2:placement:availability_zone:us-gov-east-1c ) not moose*' cmd.run 'systemctl start sensu-agent'
 
-
 
     ```
 
 
 8. Update the agent on minion `yum update -y sensu-go-agent`
 
     ```
 
     # XDR Infrastructure
 
-    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum update -y sensu-go-agent'
 
+    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'yum update -y sensu-go-agent'
 
 
     # LCPs
 
     date; salt -C '* not *.local not *.pvt.xdr.accenturefederalcyber.com' cmd.run 'yum update -y sensu-go-agent'
 
@@ -188,7 +155,7 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
     date; salt -C 'afs*local or afs*com or ma-*com or la-*com or nga*com or nga*local or dc*com or bas-*com or frtib*com or ca-c19*com or dgi*com' cmd.run 'systemctl stop sensu-agent'
 
 
     # Customer Slices Search Heads Only
 
-    salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'yum update -y sensu-go-agent'
 
+    salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'yum update -y sensu-go-agent'
 
 
     # Customer Slices Cluster masters and Heavy Forwarders 
     salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'yum update -y sensu-go-agent'
 
@@ -209,13 +176,13 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 9. Reload the daemon `systemctl daemon-reload`
 
     ```
 
     # XDR Infrastructure
 
-    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl daemon-reload'
 
+    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl daemon-reload'
 
 
     # LCPs
 
     date; salt -C '* not *.local not *.pvt.xdr.accenturefederalcyber.com' cmd.run 'systemctl daemon-reload'
 
 
     # Customer Slices Search Heads Only
 
-    date; salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'systemctl daemon-reload'
 
+    date; salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'systemctl daemon-reload'
 
 
     # Customer Slices Cluster masters and Heavy Forwarders 
     date; salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'systemctl daemon-reload'
 
@@ -235,13 +202,13 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 10. Start agent `systemctl start sensu-agent`
 
     ```
 
     # XDR Infrastructure
 
-    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or qcompliance* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl start sensu-agent'
 
+    date; salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or bas-* or ca-c19* or frtib* or dgi* or threatq* or vmray* or sensu* or rhsso-0* or fm-shared-search-0* or modelclient-splunk-idx-326* or modelclient-splunk-idx-8b8* or moose-splunk-idx-eed* )' cmd.run 'systemctl start sensu-agent'
 
 
     # LCPs
 
     date; salt -C '* not *.local not *.pvt.xdr.accenturefederalcyber.com' cmd.run 'systemctl start sensu-agent'
 
 
     # Customer Slices Search Heads Only
 
-    date; salt -C '*-sh* and not *moose* and not qcompliance* and not fm-shared-search*' cmd.run 'systemctl start sensu-agent'
 
+    date; salt -C '*-sh* and not *moose* and not fm-shared-search*' cmd.run 'systemctl start sensu-agent'
 
 
     # Customer Slices Cluster masters and Heavy Forwarders 
     date; salt -C '( *splunk-cm* or *splunk-hf* ) not moose*' cmd.run 'systemctl start sensu-agent'
 
@@ -266,7 +233,7 @@ Starting with Moose and Internal infra within `GC TEST`.  After deployment is ve
 
 
 > :warning: Don't forget to un-silence Sensu. 
 
-
 
+---
 
 ### Sensu Go caveats
 
 ---
 
 In `version 5.16` the default password was removed in favor of a sensu-backend init with bash variables.

+ 2 - 2
Splunk Upgrade Notes.md
View File 

@@ -3,7 +3,7 @@
 
 User Calendar Apt to notify when you are upgrading Splunk. 
 
 ```
 
-Naughton, Brandon <brandon.naughton@accenturefederal.com>; Williams, Colby <colby.williams@accenturefederal.com>; Waddle, Duane E. <duane.e.waddle@accenturefederal.com>; Damstra, Frederick T. <frederick.t.damstra@accenturefederal.com>; Reuther, John M. <john.m.reuther@accenturefederal.com>; Leonard, Wesley A. <wesley.a.leonard@accenturefederal.com>; Starcher, George <george.a.starcher@accenturefederal.com>; Rivas, Gregory A. <gregory.a.rivas@accenturefederal.com>; Jarrett, James M. <james.m.jarrett@accenturefederal.com>; Kerr, James <j.kerr@accenturefederal.com>
 
+Naughton, Brandon <brandon.naughton@accenturefederal.com>; Williams, Colby <colby.williams@accenturefederal.com>; Waddle, Duane E. <duane.e.waddle@accenturefederal.com>; Damstra, Frederick T. <frederick.t.damstra@accenturefederal.com>; Reuther, John M. <john.m.reuther@accenturefederal.com>; Leonard, Wesley A. <wesley.a.leonard@accenturefederal.com>; Starcher, George <george.a.starcher@accenturefederal.com>; Rivas, Gregory A. <gregory.a.rivas@accenturefederal.com>; Jarrett, James M. <james.m.jarrett@accenturefederal.com>; Kerr, James <j.kerr@accenturefederal.com>; Cooper, Jeremy <jeremy.cooper@accenturefederal.com>
 
 ```
 
 `This is an FYI only. I plan on upgrading PROD Splunk during this time.`
 
 
@@ -16,7 +16,7 @@ Post to slack channels before you begin. xdr-patching, xdr-engineering, xdr-soc
 
 Starting dc-c19 Splunk upgrade. please plan on outages. 
 ```
 
 
-NOTE: The CM should be at the same or higher version than any Search Head connecting to it. Thus, upgrade the FM-shared-search, monitoring console, and qcompliance after upgrading all the Cluster Masters.
 
+NOTE: The CM should be at the same or higher version than any Search Head connecting to it. Thus, upgrade the FM-shared-search and monitoring console after upgrading all the Cluster Masters.
 
 
 NOTE: After upgrading Splunk, update the master_apps/_cluster/default/indexes.conf in the respective msoc-{customer}-cm repo to match the version created/updated by the upgrade.