# Splunk Log4j Removal Notes

## This notes are specific for Splunk version 8.2.2.1

## Note 2022-06-06:
Most of the below has been made into a state that can be run at will:

```
salt \*splunk\* state.sls splunk.remove_log4j --output-diff test=true
```

## Manual Notes:

java removal for log4j on Splunk


ls -larth /opt/splunk/bin/jars/vendors/spark
ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
ls -larth /opt/splunk/bin/jars/thirdparty/hive*
ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

ls -larth /opt/splunk/bin/jars/vendors/spark ; ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar ; ls -larth /opt/splunk/bin/jars/thirdparty/hive* ; ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

cmd.run 'ls -larth /opt/splunk/bin/jars/vendors/spark ; ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar ; ls -larth /opt/splunk/bin/jars/thirdparty/hive* ; ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'

BACKUP

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark
tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive*
tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*
cp /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup
cp /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive* && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

TEST
cmd.run 'tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive* && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup'

PROD
tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive* && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

cmd.run 'tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive* && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup'

cmd.run 'ls -larth /opt/*tgz ; ls -larth /opt/splunk/*backup'
cmd.run 'ls -larth /opt/splunk/*backup'


DELETION

rm -rf /opt/splunk/bin/jars/vendors/spark 
rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
rm -rf /opt/splunk/bin/jars/thirdparty/hive*
rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

rm -rf /opt/splunk/bin/jars/vendors/spark && rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && rm -rf /opt/splunk/bin/jars/thirdparty/hive* && rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

cmd.run 'rm -rf /opt/splunk/bin/jars/vendors/spark && rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && rm -rf /opt/splunk/bin/jars/thirdparty/hive* && rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'

REMOVAL FROM MANIFEST 

TEST

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest
sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest
sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest
sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest

cmd.run 'sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest'

grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest
grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest
grep javalogging /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest

grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest

cmd.run "grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.3-cd0848707637-linux-2.6-x86_64-manifest"

PROD
splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest
sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest
sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest
sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest

cmd.run 'sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest'

cmd.run "grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && grep 'splunk\/etc\/apps\/splunk_archiver\/java-bin' /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.2.1-ae6821b7c64b-linux-2.6-x86_64-manifest"


DISABLE [Bucket Copy Trigger] SEARCH

mkdir /opt/splunk/etc/apps/splunk_archiver/local/ && echo -e "[Bucket Copy Trigger] \nenableSched = 0 \ndisabled=true" > /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf && chown -R splunk: /opt/splunk/etc/apps/splunk_archiver/local

cmd.run 'mkdir /opt/splunk/etc/apps/splunk_archiver/local/ && echo -e "[Bucket Copy Trigger] \nenableSched = 0 \ndisabled=true" > /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf && chown -R splunk: /opt/splunk/etc/apps/splunk_archiver/local'

cmd.run 'cat /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf'
cmd.run '/opt/splunk/bin/splunk btool savedsearches list --debug | grep splunk_archiver | grep disabled'

targets
salt 'modelclient-splunk-[sh,cm]*' cmd.run 'systemctl restart splunk'

FINAL CHECKS

salt -C '*splunk* or *search*' cmd.run 'ls -larth /opt/splunk/bin/jars/vendors/spark'
salt -C '*splunk* or *search*' cmd.run 'ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'



Manually take care of Phantom! /opt/phantom/splunk

ls -larth /opt/phantom/splunk/bin/jars/vendors/spark
ls -larth /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
ls -larth /opt/phantom/splunk/bin/jars/thirdparty/hive*
ls -larth /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/phantom/splunk/bin/jars/vendors/spark
tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar
tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/phantom/splunk/bin/jars/thirdparty/hive*
tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

ls -larth /opt

rm -rf /opt/phantom/splunk/bin/jars/vendors/spark && rm -rf /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-*.jar && rm -rf /opt/phantom/splunk/bin/jars/thirdparty/hive* && rm -rf /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

HF, idx, DS