All Apps and Add-ons

Deployment Splunk Universal Forwarder

dominiqued
Explorer

Hello,

I would like to deploy the Splunk Universal Forwarder to a batch of servers (150).
I will use SCCM,
What is the best practice to do so:
1. by a command line through the deployment of application:


     ::splunk installer
    reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
    if %OS%==32BIT GOTO Run32
    if %OS%==64BIT GOTO Run64
    :Run64
    msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" LOGON_USERNAME=AD\yyyyyyyy LOGON_PASSWORD=xxxxxxx WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1
    AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
    Set MSIError=%Errorlevel%
    GOTO End
    :Run32
    msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
    Set MSIError=%Errorlevel%
    :End
    exit /B %MSIError%

then adding the switches in the command line:

::
::PERFMON=<input_type>,<input_type>,...

or
using a limited command line :


::splunk installer
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
if %OS%==32BIT GOTO Run32
if %OS%==64BIT GOTO Run64
:Run64
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
GOTO End
:Run32
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
:End
exit /B %MSIError%

and then copying file like

inputs.conf:

[WinEventLog://Application]
disabled = 0
index = wineventlog

[WinEventLog://Security]
disabled = 0
index = wineventlog

[WinEventLog://System]
disabled = 0
index = wineventlog

[WinEventLog://Setup]
checkpointInterval = 60
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

-- Memory
[perfmon://Memory]
counters = Committed Bytes; Available MBytes; Available Bytes
disabled = 0
interval = 300
object = Memory
useEnglishOnly=true
index = perfmon

-- Network
[perfmon://Network]
counters = Bytes Total/sec; Current Bandwidth; Bytes Received/sec; Bytes Sent/sec
disabled = 0
instances = *
interval = 300
object = Network Interface
useEnglishOnly=true
index = perfmon

-- Process
[perfmon://Process]
counters = % Processor Time; Working Set; Working Set - Private 
disabled = 0
instances = *
interval = 300
object = Process
useEnglishOnly=true
index = perfmon

-- Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; % Disk Time; Current Disk Queue Length; Avg. Disk sec/Transfer; Free Megabytes
disabled = 0
instances = *
interval = 300
object = LogicalDisk
useEnglishOnly=true
index = perfmon

-- CPU
[perfmon://CPU]
counters = % Processor Time; % User Time
disabled = 0
instances = *
interval = 300
object = Processor
useEnglishOnly=true
index = perfmon



-- [perfmon://PhysicalDisk]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk
disabled = 0

and also w wmi.conf

-- Lists all services registered on the system,if they are running,and the status

 [WMI:Service]
    disabled = 0
    interval = 3600
    wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
    index = main

What is the best path to do it? if it is the second solution how to "link" the files to the command line...?
Thanks,
Dom

0 Karma
1 Solution

thesplunkmonkey
Path Finder

My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.

For example:

serverclass.conf

[serverClass:WindowsServers]
machineTypesFilter=windows*
whitelist.0=*

[serverClass:WindowsServers:app:BaseWindowsInputsApp]
restartSplunkd=1

And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.

Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.

View solution in original post

dominiqued
Explorer

Thanks let me try

Dom

0 Karma

thesplunkmonkey
Path Finder

Hey @dominiqued, just checking in to see if that worked out for you or you have any follow up questions.

0 Karma

dominiqued
Explorer

It works perfectly thanks a lot for the quick and detailed answer.
Dom

0 Karma

thesplunkmonkey
Path Finder

Anytime, Dom -- that's great, glad I could help!

0 Karma

thesplunkmonkey
Path Finder

My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.

For example:

serverclass.conf

[serverClass:WindowsServers]
machineTypesFilter=windows*
whitelist.0=*

[serverClass:WindowsServers:app:BaseWindowsInputsApp]
restartSplunkd=1

And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.

Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...