Update Splunk Enterprise


Pokiaľ potrebujete updatovať softvér Splunk pre bezpečnostné záplaty, tak postupujte nasledovne.

  1. Stiahnite si softvér zo stránky Splunk (použijeme verziu pre Linux), stiahneme si verziu "*.rpm" (v našom prípade splunk-6.6.0-1c4f3bbe1aea-linux-2.6-x86_64.rpm)
  2. inštalácia updatu:
[root@splunk ~]# rpm -Uvh splunk-6.6.0-1c4f3bbe1aea-linux-2.6-x86_64.rpm

warning: splunk-6.6.0-1c4f3bbe1aea-linux-2.6-x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 653fb112: NOKEY
Preparing...                          ################################# [100%]
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
..                                                         [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.
Updating / installing...
   1:splunk-6.6.0-1c4f3bbe1aea        ################################# [ 50%]
complete
Cleaning up / removing...
   2:splunk-6.5.2-67571ef4b87d        ################################# [100%]
  1. Po inštalácii spustíme aplikáciu
[root@splunk ~]# cd /opt/splunk/bin/
[root@splunk bin]# ./splunk start
SOFTWARE LICENSE AGREEMENT

THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING, INSTALLATION AND USE OF SPLUNK
......

Perform migration and upgrade without previewing configuration changes? [y/n] y

-- Migration information is being logged to '/opt/splunk/var/log/splunk/migration.log.2017-05-17.15-21-25' --

Migrating to:
VERSION=6.6.0
BUILD=1c4f3bbe1aea
PRODUCT=splunk
PLATFORM=Linux-x86_64

Copying '/opt/splunk/etc/myinstall/splunkd.xml' to '/opt/splunk/etc/myinstall/splunkd.xml-migrate.bak'.

Checking saved search compatibility...

Checking for possible timezone configuration errors...

Handling deprecated files...

Checking script configuration...

Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Deleting '/opt/splunk/etc/system/local/field_actions.conf'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules' to '/opt/splunk/share/splunk/search_mrsparkle/modules.old.20170517-152126'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
The following apps might contain lookup table files that are not exported to other apps:

        splunk_monitoring_console

Such lookup table files could only be used within their source app.  To export them globally and allow other apps to access them, add the following stanza to each /opt/splunk/etc/apps/<app_name>/metadata/local.meta file:

        [lookups]
        export = system

For more information, see http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/SetPermissions#Make_objects_globally_available.
Checking for possible UI view conflicts...
 App "splunk_monitoring_console" has an overriding copy of the "dashboards.xml" view, thus the new version may not be in effect. location=/opt/splunk/etc/apps/splunk_monitoring_console/default/data/ui/views
 App "splunk_monitoring_console" has an overriding copy of the "reports.xml" view, thus the new version may not be in effect. location=/opt/splunk/etc/apps/splunk_monitoring_console/default/data/ui/views
 App "splunk_monitoring_console" has an overriding copy of the "alerts.xml" view, thus the new version may not be in effect. location=/opt/splunk/etc/apps/splunk_monitoring_console/default/data/ui/views
 App "splunk_instrumentation" has an overriding copy of the "search.xml" view, thus the new version may not be in effect. location=/opt/splunk/etc/apps/splunk_instrumentation/default/data/ui/views
Removing legacy manager XML files...
Removing legacy nav XML files...
DMC is not set up, no need to migrate nav bar.
Removing System Activity dashboards...
Removing splunkclouduf XML file...
Removing splunkclouduf view XML files...
Distributed Search is not configured on this instance

It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after upgrade.

"/opt/splunk/etc/auth/ca.pem": already a renewed Splunk certificate: skipping renewal
"/opt/splunk/etc/auth/cacert.pem": already a renewed Splunk certificate: skipping renewal
Clustering migration already complete, no further changes required.

Generating checksums for datamodel and report acceleration bucket summaries for all indexes.
If you have defined many indexes and summaries, summary checksum generation may take a long time.
Processed 1 out of 8 configured indexes.
Processed 2 out of 8 configured indexes.
Processed 3 out of 8 configured indexes.
Processed 4 out of 8 configured indexes.
Processed 5 out of 8 configured indexes.
Processed 6 out of 8 configured indexes.
Processed 7 out of 8 configured indexes.
Processed 8 out of 8 configured indexes.
Finished generating checksums for datamodel and report acceleration bucket summaries for all indexes.

Splunk> 4TW

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [9089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-6.6.0-1c4f3bbe1aea-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
                                                           [  OK  ]

Waiting for web server at http://127.0.0.1:8000 to be available.................. Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

Posted in Splunk on máj 19, 2017