Splunk App Distribution.md 1.7 KB
Splunk App Distribution
Or, "How do apps get put onto splunk servers?"
Summary
There are a few methods:
- Salt from the
msoc-infrastructurerepository: - salt from customer-specific repositories such as
msoc-moose-cm - The splunk-app-updater script
- Manually
The splunk-app-updater script
Each customer account has a splunk bucket of the format xdr-modelclient-test-splunk-apps.
This bucket has folders for each server function:
- sh-es - The ES SH
- idx - Indexers
- etc.
In side these folders are subfolders per source. For example, stuff from the content team's content_source repository is placed into /sh-es/content_source/.
The script splunk-app-updater runs on a cron schedule (10am ET Mon-Thur) and downloads all files for the server's purpose from
that folder.
If any packageshave changed since the last install, it installs the app using the splunk commandline (using the '--update' command).
Logs are recorded in /var/log/splunk-app-updater.log
But how do they get into the bucket?
Any method can be used to place apps into the bucket. If it's in the bucket, it will be downloaded and installed.
The Primary way they get into the bucket is through the CodeBuild scripts in each customer account. This codebuild script downloads the source from https://github.xdr.accenturefederalcyber.com/content-delivery/content_source and builds the apps based on the particular tags.
But how does it build?
The apps are built using a container image that resides in common services. This container is built using the Dockerfile.codebuild file in
https://github.xdr.accenturefederalcyber.com/content-delivery/content_generator
The container is built and placed into ECR by a job that runs in the common services account.