|
|
@@ -1,10 +1,30 @@
|
|
|
# Customer decommision Notes.md
|
|
|
|
|
|
+
|
|
|
+## Follow these steps to terminate a customer slice
|
|
|
+05/18/2020
|
|
|
+
|
|
|
+See `Splunk SAF Offboarding Notes.md` for notes on pulled data off an indexer to give to the customer.
|
|
|
+
|
|
|
+Don't just terminate the instance, run `terraform destroy` in the appropriate folder.
|
|
|
+
|
|
|
+ 1. Once sensu starts alerting, delete the sensu entities and resolve the alerts
|
|
|
+ 2. On the salt master, delete the salt minion keys
|
|
|
+ 3. On ScaleFT website, delete the servers and project
|
|
|
+ 4. In the redhat website, remove the entitlements
|
|
|
+ 5. Ensure the customer vpc is fully deleted and no dependencies remain
|
|
|
+ 6. Delete the customer folder from the TF
|
|
|
+
|
|
|
salt saf-splunk-syslog-* cmd.run 'systemctl stop syslog-ng'
|
|
|
salt saf-splunk-syslog-* cmd.run 'systemctl disable syslog-ng'
|
|
|
salt saf-splunk-dcn-* cmd.run 'docker stop mdr-syslog-ng'
|
|
|
|
|
|
+## These steps are to remove a customer POP.
|
|
|
+5/18/2020
|
|
|
+
|
|
|
+Shutdown Splunk and disable to prevent new data going to the cluster.
|
|
|
|
|
|
+```
|
|
|
salt saf-splunk-syslog-* cmd.run 'systemctl stop splunk'
|
|
|
salt saf-splunk-syslog-* cmd.run 'systemctl disable splunk'
|
|
|
|
|
|
@@ -13,6 +33,7 @@ salt -C 'saf-splunk-* not *.local' cmd.run 'rm -rf /opt/*'
|
|
|
|
|
|
salt -C 'saf-splunk-* not *.local' cmd.run 'rm -rf /var/log/*'
|
|
|
salt -C 'saf-splunk-* not *.local' cmd.run 'rm -rf /etc/salt/minion && shutdown now'
|
|
|
+```
|
|
|
+
|
|
|
+Update TF code and remove SG rules to block access from POP to C&C, Salt master, and splunk indexers
|
|
|
|
|
|
-remove SG rules to block access. salt master and splunk indexers
|
|
|
-12.42.184.208
|
Brad Poulton