Splunk Migration from Commercial to GovCloud

Migrate the HF (this will a no brainer in test, but in prod has implications)

Terraform the HF

cd ~/xdr-terraform-live/test/aws-us-gov/mdr-test-c2/180-splunk-heavy-forwarder
terragrunt apply

Highstate it:

tshp gc-dev-salt-master
salt 'moose-splunk-hf.pvt.xdrtest.accenturefederalcyber.com' state.highstate --output-diff
# Highstate a second time
salt 'moose-splunk-hf.pvt.xdrtest.accenturefederalcyber.com' state.highstate --output-diff

Prep the keys

tshp CUST-splunk-hf
sudo systemctl stop splunk
sudo systemctl disable splunk
sudo su - splunk
ssh-keygen
# enter x3
cat ~/.ssh/id_rsa.pub
exit
exit

tshp CUST-splunk-hf.msoc.defpoint.local
mkdir .ssh
cat >> .ssh/authorized_keys
# paste from above
exit

Initial rsyncs:

Log into new HF and stop splunkd

tshp CUST-splunk-hf sudo systemctl stop splunk sudo su - splunk time rsync --rsync-path="sudo rsync" -avz --delete --progress \ frederick.t.damstra@CUST-splunk-hf.msoc.defpoint.local:/opt/splunk/ /opt/splunk/ \ --exclude=".log" --exclude '.log.' --exclude '.bundle' --exclude ".ssh"


Final cutover:

Stop splunk on the old HF

tshp CUST-splunk-hf.msoc.defpoint.local sudo systemctl stop splunk sudo systemctl disable splunk exit

replace anything found with a commadn like the following:

sudo sed -i 's/msoc.defpoint.local/pvt.xdr.accenturefederalcyber.com/' /opt/splunk/etc/system/local/*.conf

ssh gc-dev-salt-master salt 'moose-splunk-hf.pvt*' state.highstate --output-diff exit

ssh gc-prod-moose-splunk-hf sudo systemctl start splunk



## Clean up indexers

Indexers will unnecessarily use up disk space for old searchheads. Clean up the bundles:

ssh gc-dev-salt-master salt 'moose-splunk-idx-63f*' cmd.run 'systemctl stop splunk; rm -rf /opt/splunk/var/run/searchpeers/defpoint.local; systemctl start splunk'

wait for sf/rf, and repeat for other indexers

```

Splunk Migration from Commercial to GovCloud - 3. Remaining Servers.md 2.3 KB Historik Rå