Using splunk modules are meant to be used with the httpapi
connection
plugin
and as such we will set certain attributes in the inventory
Example inventory.ini
:
NOTE: The passwords should be stored in a secure location or an Ansible Vault
NOTE: the default port for Splunk's REST API is 8089
[splunk]
splunk.example.com
[splunk:vars]
ansible_network_os=splunk.es.splunk
ansible_user=admin
ansible_httpapi_pass=my_super_secret_admin_password
ansible_httpapi_port=8089
ansible_httpapi_use_ssl=yes
ansible_httpapi_validate_certs=True
ansible_connection=httpapi
Example playbook:
GPLv3
Ansible Security Automation Team This is the Ansible Collection provided by the Ansible Security Automation Team for automating actions in Splunk Enterprise Security SIEM
This Collection is meant for distribution via Ansible Galaxy as is available for all Ansible users to utilize, contribute to, and provide feedback about.
An example for using this collection to manage a log source with Splunk Enterprise Security SIEM is as follows.
inventory.ini
(Note the password should be managed by a Vault for a production environment.
[splunk]
splunk.example.com
[splunk:vars]
ansible_network_os=splunk.es.splunk
ansible_user=admin
ansible_httpapi_pass=my_super_secret_admin_password
ansible_httpapi_port=8089
ansible_httpapi_use_ssl=yes
ansible_httpapi_validate_certs=True
ansible_connection=httpapi
With Ansible Collections there are various ways to utilize them either by calling specific Content from the Collection, such as a module, by it's Fully Qualified Collection Name (FQCN) as we'll show in this example or by defining a Collection Search Path as the examples below will display.
I should be noted that the FQCN method is the recommended method but the shorthand options listed below exist for convenience.
splunk_with_collections_fqcn_example.yml
---
- name: demo splunk
hosts: splunk
gather_facts: False
tasks:
- name: test splunk_data_input_monitor
splunk.es.data_input_monitor:
name: "/var/log/demo.log"
state: "present"
recursive: True
- name: test splunk_data_input_network
splunk.es.data_input_network:
name: "9001"
protocol: "tcp"
state: "absent"
- name: test splunk_coorelation_search
splunk.es.correlation_search:
name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo Coorelation Search From Playbook, description."
search: 'source="/var/log/snort.log"'
state: "present"
- name: test splunk_adaptive_response_notable_event
splunk.es.adaptive_response_notable_event:
name: "Demo notable event from playbook"
correlation_search_name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo notable event from playbook, description."
state: "present"
next_steps:
- ping
- nslookup
recommended_actions:
- script
Below we specify our collection at the Play level which allows us to use the splunk modules without specifying the need for the Ansible Collection Namespace.
splunk_with_collections_example.yml
---
- name: demo splunk
hosts: splunk
gather_facts: False
collections:
- splunk.es
tasks:
- name: test splunk_data_input_monitor
data_input_monitor:
name: "/var/log/demo.log"
state: "present"
recursive: True
- name: test splunk_data_input_network
data_input_network:
name: "9001"
protocol: "tcp"
state: "absent"
- name: test splunk_coorelation_search
correlation_search:
name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo Coorelation Search From Playbook, description."
search: 'source="/var/log/snort.log"'
state: "present"
- name: test splunk_adaptive_response_notable_event
adaptive_response_notable_event:
name: "Demo notable event from playbook"
correlation_search_name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo notable event from playbook, description."
state: "present"
next_steps:
- ping
- nslookup
recommended_actions:
- script
Below we use the block
level keyword, we are able to use the splunk modules without the need for the
Ansible Collection Namespace.
splunk_with_collections_block_example.yml
---
- name: demo splunk
hosts: splunk
gather_facts: False
tasks:
- name: collection namespace block
- name: test splunk_data_input_monitor
data_input_monitor:
name: "/var/log/demo.log"
state: "present"
recursive: True
- name: test splunk_data_input_network
data_input_network:
name: "9001"
protocol: "tcp"
state: "absent"
- name: test splunk_coorelation_search
correlation_search:
name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo Coorelation Search From Playbook, description."
search: 'source="/var/log/snort.log"'
state: "present"
- name: test splunk_adaptive_response_notable_event
adaptive_response_notable_event:
name: "Demo notable event from playbook"
correlation_search_name: "Test Demo Coorelation Search From Playbook"
description: "Test Demo notable event from playbook, description."
state: "present"
next_steps:
- ping
- nslookup
recommended_actions:
- script
collections:
- splunk.es