Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
infrastructure-...
/
Splunk Log4j Removal Notes.md

Splunk Log4j Removal Notes.md 11 KB
Permalink History Raw

Splunk Log4j Removal Notes

This notes are specific for Splunk version 8.2.2.1

Note 2022-06-06:

Most of the below has been made into a state that can be run at will:

salt \*splunk\* state.sls splunk.remove_log4j --output-diff test=true

Manual Notes:

java removal for log4j on Splunk

ls -larth /opt/splunk/bin/jars/vendors/spark ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar ls -larth /opt/splunk/bin/jars/thirdparty/hive ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

ls -larth /opt/splunk/bin/jars/vendors/spark ; ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar ; ls -larth /opt/splunk/bin/jars/thirdparty/hive ; ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

cmd.run 'ls -larth /opt/splunk/bin/jars/vendors/spark ; ls -larth /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar ; ls -larth /opt/splunk/bin/jars/thirdparty/hive ; ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'

BACKUP

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* cp /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup cp /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

TEST cmd.run 'tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup'

PROD tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup

cmd.run 'tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/splunk/bin/jars/vendors/spark && tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/splunk/bin/jars/thirdparty/hive && tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/* && cp /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest /opt/splunk/splunk-manifest.backup'

cmd.run 'ls -larth /opt/*tgz ; ls -larth /opt/splunk/*backup' cmd.run 'ls -larth /opt/splunk/*backup'

DELETION

rm -rf /opt/splunk/bin/jars/vendors/spark rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar rm -rf /opt/splunk/bin/jars/thirdparty/hive rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

rm -rf /opt/splunk/bin/jars/vendors/spark && rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && rm -rf /opt/splunk/bin/jars/thirdparty/hive && rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*

cmd.run 'rm -rf /opt/splunk/bin/jars/vendors/spark && rm -rf /opt/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && rm -rf /opt/splunk/bin/jars/thirdparty/hive && rm -rf /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'

REMOVAL FROM MANIFEST

TEST

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest

cmd.run 'sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest'

grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest grep javalogging /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest

grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest

cmd.run "grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.3-cd08487076-linux-2.6-x86_64-manifest"

PROD splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest

sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest

cmd.run 'sed -i "/splunk\/bin\/jars\/vendors\/spark/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/vendors\/libs\/splunk-library-javalogging-/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/bin\/jars\/thirdparty\/hive/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && sed -i "/splunk\/etc\/apps\/splunk_archiver\/java-bin\/jars/d" /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest'

cmd.run "grep 'splunk\/bin\/jars\/vendors\/spark' /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && grep 'splunk\/etc\/apps\/splunk_archiver\/java-bin' /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && grep 'thirdparty\/hive' /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest && grep javalogging /opt/splunk/splunk-8.2.2.1-ae6821b7c6-linux-2.6-x86_64-manifest"

DISABLE [Bucket Copy Trigger] SEARCH

mkdir /opt/splunk/etc/apps/splunk_archiver/local/ && echo -e "[Bucket Copy Trigger] \nenableSched = 0 \ndisabled=true" > /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf && chown -R splunk: /opt/splunk/etc/apps/splunk_archiver/local

cmd.run 'mkdir /opt/splunk/etc/apps/splunk_archiver/local/ && echo -e "[Bucket Copy Trigger] \nenableSched = 0 \ndisabled=true" > /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf && chown -R splunk: /opt/splunk/etc/apps/splunk_archiver/local'

cmd.run 'cat /opt/splunk/etc/apps/splunk_archiver/local/savedsearches.conf' cmd.run '/opt/splunk/bin/splunk btool savedsearches list --debug | grep splunk_archiver | grep disabled'

targets salt 'modelclient-splunk-[sh,cm]*' cmd.run 'systemctl restart splunk'

FINAL CHECKS

salt -C 'splunk or search' cmd.run 'ls -larth /opt/splunk/bin/jars/vendors/spark' salt -C 'splunk or search' cmd.run 'ls -larth /opt/splunk/etc/apps/splunk_archiver/java-bin/jars/*'

Manually take care of Phantom! /opt/phantom/splunk

ls -larth /opt/phantom/splunk/bin/jars/vendors/spark ls -larth /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar ls -larth /opt/phantom/splunk/bin/jars/thirdparty/hive ls -larth /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

tar -cvzf /opt/bin-jars-vendors-spark.tgz /opt/phantom/splunk/bin/jars/vendors/spark tar -cvzf /opt/bin-jars-vendors-libs-splunk.tgz /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar tar -cvzf /opt/bin-jars-thirdparty-hive.tgz /opt/phantom/splunk/bin/jars/thirdparty/hive tar -cvzf /opt/splunk_archiver-java-bin.tgz /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

ls -larth /opt

rm -rf /opt/phantom/splunk/bin/jars/vendors/spark && rm -rf /opt/phantom/splunk/bin/jars/vendors/libs/splunk-library-javalogging-.jar && rm -rf /opt/phantom/splunk/bin/jars/thirdparty/hive && rm -rf /opt/phantom/splunk/etc/apps/splunk_archiver/java-bin/jars/*

HF, idx, DS