-
Notifications
You must be signed in to change notification settings - Fork 10
Project presentation
For technical documentation, please refer to README.md
cca_for_splunk - CCA (Continuous Configuration Automation) framework for Splunk - is built up by a set of well organized Ansible playbooks and roles that together covers common management tasks to support you throughout the whole lifecycle of your Splunk journey. Find the power in managing your environment with ease, giving you full control over all Splunk configuration settings, upgrades and app deployment!
If you already have or are planning to implement any of the Splunks Validated Architectures, which we strongly recommend that you read up on, we cover the required configuration for them out-of-the-box. They also serve as baselines to be used as a starting point for configuring custom architectures as well.
Regardless if you have a single Splunk instance with just a couple of GB's of data or running several dedicated multisite Splunk Index and Search Head Clusters, each handling 10's of TB of data, CCA for Splunk scales with your needs. Finding yourself with requirements to handle multiple environments e.g. development, production, emea, apac or americas? There are no limits in the framework - create as many as you like, each of them will keep your Ansible inventory and settings separated in structured way. A split architecture of this automation framework stores all custom settings outside the cca_for_splunk repo to make it possible for you to track your own settings and apps in private repos or even to write full extensions to fit your operational needs.
Every organization that invest in Splunk do so to satisfy different needs where putting data to good use and create business value is part of the objective - in one way or another. Independent of what those objectives are, everyone working directly or indirectly with Splunk in various roles throughout a Splunk empowered organization will have benefits from having CCA for Splunk Automation framework as a cornerstone of the Splunk operations. There is really something for everyone, directly or indirectly.
Splunk Admins have a great responsibility to keep the platform running and deliver a performant service for users to utilize. In practice, this always boils down to finding and efficient way to manage all types of configurations while also keeping the Splunk Infrastructure secure and that things like getting data in doesn´t become a bottleneck for the users of the platform. The ideas behind CCA for Splunk is very much derived from solving this equation in an efficient yet secure and scalable way based on our own experiences from managing Splunk in large corporations. We know how hard it can be to keep up with all tasks in the day to day, follow all internal policies and external pressures while also keeping up with implementing all the new cool features that keeps coming from the Splunk ecosystem. With this framework in your hands, you can configure, upgrade, scale out, install and fully control all servers and apps in your Splunk platform in a standardized and automated way so the focus can be centered on how to best support the business value creation of the organization instead of looking for where to apply what setting and endless upgrade sync meetings.
Splunk Service Owners have the responsibility to provide Splunk services that serves the every changing needs of your business. It can make a big difference having a Splunk platform fully automated compared with one that is managed manually in your ability to meet the next business demands. Many Service Owners find themselves fighting with long queues for data onboarding requests, incompatibility between apps and Splunk versions or issues scaling the platform to meet capacity and performance demands as they appear. Instead of planning the next innovation you get stuck in war-rooms to figure out what the hell went wrong. Reliability of operations and speed in adjusting to needs are must-have to be able to provide quality services. Put this framework in the hands of your Splunk Admins to resolve bottlenecks and put your focus on adoption throughout the organization, involve them directly by providing self-services to consume and be the hero who actually nudge data-driven decision making out in the organization.
Splunk Business owners that own a business that utilizes Splunk to achieve data goals may no directly interact with CAA for Splunk - however there are huge benefits of having your business incorporate CCA for Splunk to efficiently boost the business data capabilities. The theoretical benefits of any technology is limited by the practical operational efficiency of it. With this framework comes several clear advantages that can aid to fulfil business goals that is supported by Splunk's capabilities. due to the inherent benefits of standardization in terms of predictability by replacing manual labor with automation orchestration. All technologies effectiveness is a combination of it´s inherent potential and the trust in it - where the former often is capped by the latter and speed, reliability and performance is the best way to build and keep trust of the long-run.
Splunk App Developers abilities to develop and create business value out of data requires not only deep understand in the mission and goals of the target area but also extensive SPL know-how - none of that matter without a performant data platform service that provides access to the right data. With CCA for Splunk, the time to value of development can be reduced significantly as it lends itself well for building self-services around both commission of new infrastructure for development instances, CI/CD pipe integration to push apps you´ve developed with full version control and to deploy these with ease between instances in just seconds. CCA for Splunk basically enabled a modern software development approach if implemented correctly technically and integrated into the organizations processes. Even if you never directly work with CCA for Splunk, having it in the background of your organization will directly influence you Splunk experience and let your skills shine by waiting less and SPL:ing more, ultimately using Splunk for what its supposed to help with - producing business value out of data.
Splunk Consultants whole business idea is to help Splunk clients, and the best way to do that is to make the clients succeed. Doing manual administration of tedious tasks is at best dealing with the symptoms of inefficient operations an a short-term strategy. It comes with limited long-term value and carries obvious risks as it´s easily just viewed as a cost - not to mention it is boring. Do yourself and your clients a favor and build a case to invest in a fully automated Splunk platform right from the start. As all Splunk platforms are implemented to serve a set of business goals, and the administration of the technology itself serves no real business value, why not lower time to value by making sure that onboarding of more users and use cases and to free up your time and efforts in introducing Splunk, support development of new solutions and efforts that turn data to real business value.
The CCA for Splunk framework comes with an extensive set of Ansible playbooks and roles that helps administration of Splunk on multiple levels.
- Change verification - with the use of Ansible check-mode, all proposed changes for deployment can be verified before actually implemented.
- Splunk Installation - easy and controlled way to install Splunk with security enabled right from the start.
- Splunk Upgrade - plan and perform upgrades methodically, efficiently and predictable with full control.
- OS Configuration - enable secure and optimized setting for host OS to compliment Splunk best practices.
- Splunk Certificates - distribute and control your own certificates for all Splunk services.
- Splunk Security Enablement - implement Splunk recommendations and best practices by default.
- Splunk Data Onboarding - control all sorts of data onboarding, from deployer configuration to HTTP Event Token management to add-ons like DB Connect fully configured after deployment.
- Centralized App repository - version controlled to handle the right app version for the right Splunk version, enable multi stage environment test and deploy schemes and easy knowledge bundle distribution.
- Centralized Configuration repository - create and work towards an abstraction of the configuration of your Splunk environments, effectively enabling a modern software development approach to Splunk management.
- Extension support - extend CCA with new capabilities to cover niche or custom use cases further CCA for Splunk features set.
CCA for Splunk have pre-requirements and recommendations in terms of Splunk version, OS version, Ansible version and certain supporting technologies. For a full set of requirements, see README.md
To setup CCA for Splunk, we have developed an Automation Readiness playbook that calculates a score of how well prepared the environment is to initiate CCA for Splunk in. This also provide a step-by-step installation schedule. For more information, see automation_readiness.md
For any technical questions we refer to the README.md, subsequent README's linked from it as well as the well commented code itself.
If you find something like a bug in the code, feel free to explore Issues and see if it is already acknowledged. Feel free to contribute your findings and any feature requests by contacting us at datatribe (at) se.orangecyberdefense.com and we will review it and provide feedback to your request.
If you are interested in a commercial contact with the team behind the project, please visit CCA for Splunk contact page here.