It is a small Docker based stack composed by Terraform, and consisting of:

1. Vault
2. Fluentd
3. Telegraf
4. Splunk

This project uses the fluentd-splunk-hec image for the Fluentd component. It is not generally useful and mostly made for specific uses of this project. Check it out as an example of a custom Fluentd image with additional plugin installed.

To quickly spin up an environment for using Vault telemetry metrics with Splunk

1. Install Docker for your OS
2. Install Terraform for your OS
3. Clone this repository
4. Change into the directory and use terraform to start the show!

$ cd vss && \
terraform init && \
terraform plan -out vss.plan && \
terraform apply -auto-approve vss.plan

Okay, now what?

Vault is configured and running as a single server with a filesystem based storage backend, no TLS enabled, and telemetry configured to use Telegraf.

Telegraf is spun up with a configuration that uses a HEC to connect to Splunk and push metrics.

Splunk is spun up with a fully configured vault-metrics index and HEC for receiving metrics forwarded by Telegraf.

It's all ready to use out-of-the-box.

Export the correct VAULT_ADDR value to communicate with the Vault container.

$ export VAULT_ADDR=http://127.0.0.1:8200

Get a quick status.

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            n/a
HA Enabled         false

If everything is okay, go ahead and initialize, then unseal Vault, and login with the initial root token.

$ vault operator init \
      -key-shares=1 \
      -key-threshold=1 \
      | head -n3 \
      | cat > ./vault.init && \
      vault operator unseal \
      $(grep 'Unseal Key 1'  ./vault.init | awk '{print $NF}') && \
      vault login $(grep 'Initial Root Token' ./vault.init | awk '{print $NF}')

Enable a file audit device log.

$ vault audit enable file file_path=/vault/logs/vault-audit.log

Add a "sudo" policy.

$ vault policy write sudo - << EOT
// Example policy: "sudo"
path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOT

Enable the userpass auth method.

$ vault auth enable userpass

Add a demo user and attach sudo policy.

$ vault write auth/userpass/users/demo password=abc.123 policies=sudo

Generate some stuff...

Login 200 times to generate some items in audit and metrics.

$ for i in {1..200}
    do
      vault login -method=userpass username=demo password=abc.123
    done

Create 142 identity entites.

$ for i in {1..142}
    do vault write -f identity/entity
  done

Create 200 tokens with only the default policy.

$ for i in {1..200}
    do vault token create -policy=default
  done

Visit Splunk Web at 127.0.0.1:8000.

• Username: admin
• Password: vss-password

When finished, you can reset like this.

$ terraform destroy --force