topic Splunk remote windows data collection in Getting Data In

Splunk remote windows data collection

aaronkorn — Tue, 21 May 2013 14:42:56 GMT

Hello,

We are looking at using the universal forwarder to collect remote windows data from event logs from approx 11,000 clients. Is this recommended and is there any documentation out there on how to set this up if we have all client machine names?

Thanks!

Re: Splunk remote windows data collection

bmacias84 — Tue, 21 May 2013 14:52:08 GMT

Why not install a UF on the clients? 11,00 client for one UF seems a bit hefty. Also how concerned are you with in flight data losss?

Re: Splunk remote windows data collection

aaronkorn — Tue, 21 May 2013 14:55:52 GMT

This is an option that we could do with SCCM and yes we are with in flight data loss.

Re: Splunk remote windows data collection

jkat54 — Tue, 21 May 2013 15:02:01 GMT

If you're using WMI this wont work. WMI causes issues once you get over about 60 WMI inputs.

You need to use universal forwarders installed locally on each server. If you're looking to script the install see these resources:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/DeployaWindowsdfviathecommandline
http://docs.splunk.com/Documentation/Splunk/5.0.2/Installation/InstallonWindowsviathecommandline

I've tried to powershell this using winrm but havent had luck with msiexec running in a remote shell:

function Deploy-Splunk 
{
param (
[string] $ServerList = $(Read-Host -prompt "Path to server list (b:\splunk\qa\serverlist.txt)"),
[string] $MSI = $(Read-Host -prompt "Path to MSI (b:\splunkforwarder\forwarder.msi)"),
[string] $Indexer = $(Read-Host -prompt "Indexer Hostname or IP (serverhostname.com)"),
[string] $Port = $(Read-Host -prompt "Port Number (9999, 9997)"),
[string] $Options = $(Read-Host -prompt "Options (WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 PERFMON=cpu,memory,network,diskspace SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 AGREETOLICENSE=Yes /quiet)")
)

begin {
$error.Clear()
}

process {
$Cred=get-credential 
$Indexer='RECEIVING_INDEXER="' + $Indexer + ':' + $Port + '"'
$InstallCommand=msiexec.exe /i $MSI $Indexer $Options

foreach ($Server in (gc $ServerList)) {
$S = new-pssession -computername $Server -credential $Cred
invoke-command -session $S -Argumentlist @($InstallCommand) -ScriptBlock {
$error.Clear()
$InstallCommand

if ($error -ne '$null') {
$msg='SplunkUniversalForwarder Failed to Install.'  + '`n`r' + 'Installation Command: ' + $InstallCommand + '`n`r' + 'Calling Stack...' + '`n`r' + $error
Write-EventLog Splunk -Source Splunk -entrytype error -eventID 999 -message "$msg"
$error.Clear()
} #end if error

if ($error -eq '$null') {
$msg='SplunkUniversalForwarder Installed Successfully.'  + '`n`r' + 'Installation Command: ' + $InstallCommand
Write-EventLog Splunk -Source Splunk -entrytype error -eventID 999 -message "$msg"
} #end if error

} #end invoke-command / scriptblock

} #end foreach loop

} #end process

} #end function Deploy-Splunk

Re: Splunk remote windows data collection

bmacias84 — Tue, 21 May 2013 15:57:24 GMT

If you are worried about in flight data loss there is easy way to guaranty reciept of the data from the remove client as wmi is based on interval. I would recommend installing the UF locally on each 11,000 servers as the UF will have check points on the event logs and you can enable indexer acknowledgement.