topic Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server) in Installation

Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

ptrjay — Wed, 08 Mar 2023 14:04:03 GMT

I'm looking to rollout UF without the need for a deployment server - we have zero infrastructure and I'd rather not have to start hosting/monitoring/patching VMs to utilize Splunk Cloud.

I'm looking to automate the install with a cmd/powershell script rolled out through MDM, and I'm struggling to find the msi switches or examples for this scenario. I'll likely manage the installs through MDM also.

Can someone detail how to install Universal Forwarder on Windows for Splunk Cloud without a deployment server - I have the installer and the credentials pack but the MSI guides don't note how to pass the credential pack to the installer or what settings to use for the RECEIVING_INDEXER flag, if it is still required.

Many thanks for any help with this

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

gcusello — Wed, 08 Mar 2023 14:21:50 GMT

Hi @ptrjay,

have you a sistem like Ivanti LanDesk or Ansible?

if yes, you can use them.

If not, on Windows, the only solution is to manually connect to each VM and run the msi, in detail:

download the Universal Forwarder App from your Splunk Cloud Instance: it contains all the configurations to connect with Splunk Cloud,
check that the firewall routes between all your forwarders and Splunk Cloud are open for the port 9997,
manually run the msi to install the Universal Forwarder on each machine,
copy the downloaded Universal Forwarder App in each machine in $SPLUNK_HOME\etc\apps,
unzip it in that folder,
restart Splunk on the Universal Forwarder,
check on Splunk Cloud that al the Universal Forwarders are connected to Splunk Cloud.

even if you have few machines it isn't a good idea to not use a Deployment Server, think againg to this issue!

In addition, usually it's a best practice to use two Heavy Forwarders as concentrators to avoid to open firewall routes between all your machines and Splunk Cloud.

Ciao.

Giuseppe

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

richgalloway — Wed, 08 Mar 2023 16:42:19 GMT

I have to disagree with @gcusello on two points.

First, it's not necessary to manually install the UF on Windows. There is a CLI method designed, in part, for use with automation. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/InstallonWindowsviathecommandline#Install_Splunk_Enterprise_from_the_command_line

Second, it's better to not use intermediate forwarders (IFs) at all. The reason about fewer firewall holes must have been created by a lazy firewall admin. IFs add complexity and failure points. Where possible, UFs should send directly to Splunk Cloud.

If you do use IFs, I completely agree that you should have at least two of them.

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

ptrjay — Thu, 09 Mar 2023 08:37:55 GMT

The CLI method is what I've tried to use, but I cannot see an install flag for adding the Splunk Cloud .spl credential/authentication file to the installation, am I right in understanding that the .spl has to be added after the installation via a splunk.exe command?

I'm now seeing that the Splunk Add-on for Microsoft Windows is not present in the Universal Forwarder configuration (missing "Splunk_TA_windows" folder in \etc\apps\) so no data is now being sent to Splunk Cloud.

The add-on has otherwise been setup and added to the Cloud instance/tenant, but do I need a Deployment Server to actually rollout config to get the UF to send Windows data? I can't find any documentation or example folder configs to get the Add-on working without a DS?

The switches mentioned in the CLI installation for sending certain data (WINEVENTLOG_APP_ENABLE / WINEVENTLOG_SEC_ENABLE / WINEVENTLOG_SYS_ENABLE / WINEVENTLOG_FWD_ENABLE / WINEVENTLOG_SET_ENABLE) do nothing. The Cloud instance only looks to be receiving connection information from the forwarder but nothing is hitting the indexes which were setup as part of the Add-on installation.

Is it a matter of using these as a template? - https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

ptrjay — Thu, 09 Mar 2023 09:04:42 GMT

Where do I get the app config from to place in etc \etc\ structure? I think that's the part that I'm stuck on. My forwarders are present in the cloud portal but I cannot see any data going to them outside of some sort of connectivity log.

For background, our users are remote workers so I'm hoping to connect the endpoints directly to the cloud instance instead of having a cloud VM managing the traffic and adding an additional point of failure. All firewalling is local to the machine and the systems are using a zero-trust architecture with SSO for all operations.

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

richgalloway — Thu, 09 Mar 2023 14:04:50 GMT

Yes, apps and add-ons must be installed after running the .msi file. They can be installed using a splunk.exe command or my manually expanding the .spl file into the proper place (%SPLUNK_HOME%\etc\apps).

Add-ons typically need to be installed on UFs (for the inputs.conf settings) as well as on the indexers and search heads (for props.conf and other settings).

Sometimes the documentation assumes other steps have been taken previously. I'm not familiar with the switches you mentioned, but they may be part of an add-on you have not yet installed.

You do not *need* a DS, but it is highly recommended you use one, unless your company has another method for managing the software installed on endpoints.

Re: Deploying Universal Forwarder for Splunk Cloud with cmd (No Deployment Server)

richgalloway — Thu, 09 Mar 2023 14:12:20 GMT

The best place from which to get an app config is the Splunk app store (apps.splunk.com). Also, any non-cloud Splunk UI can generate an app for you by clicking the New button on the Manage Apps page. Finally, you can create the structure yourself using an existing app as a guide and the docs at https://dev.splunk.com/enterprise/tutorials/module_getstarted/createapp