Colby W. yorokobi

## var_log_foreman-installer_katello.log
foreman-installer --scenario katello --enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet true --foreman-proxy-puppetca true --foreman-proxy-content-puppet true --enable-puppet --puppet-server true --puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt --puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt --puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
2022-10-21 00:31:14 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-10-21 00:31:18 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-10-21 00:31:18 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTI

## gist:4d866bbcf1dab7eea92e7622cb852dd6
| eval severity = case(
    severity="critical", "┻━┻︵ \(°□°)/ ︵ ┻━┻ ".severity,
    severity="high", "(╯°□°)╯ ︵ ┻━┻ ".severity,
    severity="medium", "ಠ_ಠ ".severity,
    severity="low", "(っ◕‿◕)っ ".severity,
    severity="info", "♥‿♥ ".severity,
    true(), severity
)

## gist:04a3f503ca15bf6a5768
_____________________

PROPS.CONF
_____________________

[iis]
TRANSFORMS-syslog = send_to_syslog

[WinEventLog:Security]
TRANSFORMS-syslog = send_to_syslog

## gist:7c63e36c6c445f6f62f1
| rest /services/deployment/server/clients splunk_server=local
| fields averagePhoneHomeInterval build clientName guid hostname lastPhoneHomeTime splunkVersion utsname
| rex field=hostname "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)"
| eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost )
| eval sourceHost = lower(sourceHost)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case( os = "linux", "Linux", os = "windows", "Windows" )
| fields - utsname hostname
| convert timeformat="%F %T" ctime(lastPhoneHomeTime)
| table sourceHost sourceDomain os arch splunkVersion build guid clientName averagePhoneHomeInterval lastPhoneHomeTime updated

## gist:40ca9f11cf0f56764df9
| rest /services/shcluster/member/members splunk_server=local
| table label status title artifact_count status_counter.Complete advertise_restart_required last_heartbeat
| eval is_captain = "No"
| eval is_current = "No"
| eval artifacts_not_reaped = artifact_count - 'status_counter.Complete'
| eval heartbeat_diff = now() - last_heartbeat
| join type=outer label
[
| rest /services/shcluster/status splunk_server=local
| fields captain.label

## gist:b9f5c8191c04091b4a11
| rest /services/deployment/server/clients splunk_server=local |
fields averagePhoneHomeInterval build clientName guid hostname lastPhoneHomeTime updated utsname |
rex field=hostname "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)" |
eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost ) |
rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)" |
eval os = case( os = "linux", "Linux", os = "windows", "Windows" ) |
fields - utsname hostname |
lookup version2build.csv build |
table sourceHost sourceDomain os arch version build guid clientName averagePhoneHomeInterval lastPhoneHomeTime updated |
sort version sourceHost sourceDomain

## gist:39dadf570689c4f9f0d1
index=_internal source="*metrics.lo*" group=tcpin_connections earliest=-7d latest=now
| eval sourceHost = if( isnull(hostname), sourceHost, hostname )
| dedup sourceHost
| eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")
| eval build = if( isnull(build), "N/A", build )
| eval version = if( isnull(version), "pre 4.2", version )
| eval guid = if( isnull(guid), sourceHost, guid )
| eval os = if( isnull(os), "N/A", os )
| eval arch = if( isnull(arch), "N/A", arch )
| rex field=guid mode=sed "s/-//g"

## ui-prefs.conf
[default]
###
### Default to "Last 15 minutes" for search
###
dispatch.earliest_time = -15m
dispatch.latest_time = now

###
### Disable RT searches in /search and /launcher
### These entries must go in etc/system/local/ui-prefs.conf
	foreman-installer --scenario katello --enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet true --foreman-proxy-puppetca true --foreman-proxy-content-puppet true --enable-puppet --puppet-server true --puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt --puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt --puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
	2022-10-21 00:31:14 [NOTICE] [root] Loading installer configuration. This will take some time.
	2022-10-21 00:31:18 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
	2022-10-21 00:31:18 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTI
	\| eval severity = case(
	severity="critical", "┻━┻︵ \(°□°)/ ︵ ┻━┻ ".severity,
	severity="high", "(╯°□°)╯ ︵ ┻━┻ ".severity,
	severity="medium", "ಠ_ಠ ".severity,
	severity="low", "(っ◕‿◕)っ ".severity,
	severity="info", "♥‿♥ ".severity,
	true(), severity
	)
	_____________________

	PROPS.CONF
	_____________________

	[iis]
	TRANSFORMS-syslog = send_to_syslog

	[WinEventLog:Security]
	TRANSFORMS-syslog = send_to_syslog
	\| rest /services/deployment/server/clients splunk_server=local
	\| fields averagePhoneHomeInterval build clientName guid hostname lastPhoneHomeTime splunkVersion utsname
	\| rex field=hostname "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)"
	\| eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost )
	\| eval sourceHost = lower(sourceHost)
	\| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
	\| eval os = case( os = "linux", "Linux", os = "windows", "Windows" )
	\| fields - utsname hostname
	\| convert timeformat="%F %T" ctime(lastPhoneHomeTime)
	\| table sourceHost sourceDomain os arch splunkVersion build guid clientName averagePhoneHomeInterval lastPhoneHomeTime updated
	\| rest /services/shcluster/member/members splunk_server=local
	\| table label status title artifact_count status_counter.Complete advertise_restart_required last_heartbeat
	\| eval is_captain = "No"
	\| eval is_current = "No"
	\| eval artifacts_not_reaped = artifact_count - 'status_counter.Complete'
	\| eval heartbeat_diff = now() - last_heartbeat
	\| join type=outer label
	[
	\| rest /services/shcluster/status splunk_server=local
	\| fields captain.label
	\| rest /services/deployment/server/clients splunk_server=local \|
	fields averagePhoneHomeInterval build clientName guid hostname lastPhoneHomeTime updated utsname \|
	rex field=hostname "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)" \|
	eval sourceHost = if( isnull(sourceDomain), hostname, sourceHost ) \|
	rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)" \|
	eval os = case( os = "linux", "Linux", os = "windows", "Windows" ) \|
	fields - utsname hostname \|
	lookup version2build.csv build \|
	table sourceHost sourceDomain os arch version build guid clientName averagePhoneHomeInterval lastPhoneHomeTime updated \|
	sort version sourceHost sourceDomain
	index=_internal source="metrics.lo" group=tcpin_connections earliest=-7d latest=now
	\| eval sourceHost = if( isnull(hostname), sourceHost, hostname )
	\| dedup sourceHost
	\| eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")
	\| eval build = if( isnull(build), "N/A", build )
	\| eval version = if( isnull(version), "pre 4.2", version )
	\| eval guid = if( isnull(guid), sourceHost, guid )
	\| eval os = if( isnull(os), "N/A", os )
	\| eval arch = if( isnull(arch), "N/A", arch )
	\| rex field=guid mode=sed "s/-//g"
	[default]
	###
	### Default to "Last 15 minutes" for search
	###
	dispatch.earliest_time = -15m
	dispatch.latest_time = now

	###
	### Disable RT searches in /search and /launcher
	### These entries must go in etc/system/local/ui-prefs.conf