Hello,
I would like to deploy the Splunk Universal Forwarder to a batch of servers (150).
I will use SCCM,
What is the best practice to do so:
1. by a command line through the deployment of application:
::splunk installer
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
if %OS%==32BIT GOTO Run32
if %OS%==64BIT GOTO Run64
:Run64
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" LOGON_USERNAME=AD\yyyyyyyy LOGON_PASSWORD=xxxxxxx WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1
AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
GOTO End
:Run32
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
:End
exit /B %MSIError%
then adding the switches in the command line:
::
::PERFMON=<input_type>,<input_type>,...
or
using a limited command line :
::splunk installer
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
if %OS%==32BIT GOTO Run32
if %OS%==64BIT GOTO Run64
:Run64
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
GOTO End
:Run32
msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" lopsplkap02:8089 " /quiet
Set MSIError=%Errorlevel%
:End
exit /B %MSIError%
and then copying file like
inputs.conf:
[WinEventLog://Application]
disabled = 0
index = wineventlog
[WinEventLog://Security]
disabled = 0
index = wineventlog
[WinEventLog://System]
disabled = 0
index = wineventlog
[WinEventLog://Setup]
checkpointInterval = 60
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog
-- Memory
[perfmon://Memory]
counters = Committed Bytes; Available MBytes; Available Bytes
disabled = 0
interval = 300
object = Memory
useEnglishOnly=true
index = perfmon
-- Network
[perfmon://Network]
counters = Bytes Total/sec; Current Bandwidth; Bytes Received/sec; Bytes Sent/sec
disabled = 0
instances = *
interval = 300
object = Network Interface
useEnglishOnly=true
index = perfmon
-- Process
[perfmon://Process]
counters = % Processor Time; Working Set; Working Set - Private
disabled = 0
instances = *
interval = 300
object = Process
useEnglishOnly=true
index = perfmon
-- Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; % Disk Time; Current Disk Queue Length; Avg. Disk sec/Transfer; Free Megabytes
disabled = 0
instances = *
interval = 300
object = LogicalDisk
useEnglishOnly=true
index = perfmon
-- CPU
[perfmon://CPU]
counters = % Processor Time; % User Time
disabled = 0
instances = *
interval = 300
object = Processor
useEnglishOnly=true
index = perfmon
-- [perfmon://PhysicalDisk]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk
disabled = 0
-- Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = main
What is the best path to do it? if it is the second solution how to "link" the files to the command line...?
Thanks,
Dom
My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.
For example:
serverclass.conf
[serverClass:WindowsServers]
machineTypesFilter=windows*
whitelist.0=*
[serverClass:WindowsServers:app:BaseWindowsInputsApp]
restartSplunkd=1
And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.
Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.
Thanks let me try
Dom
Hey @dominiqued, just checking in to see if that worked out for you or you have any follow up questions.
It works perfectly thanks a lot for the quick and detailed answer.
Dom
Anytime, Dom -- that's great, glad I could help!
My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.
For example:
serverclass.conf
[serverClass:WindowsServers]
machineTypesFilter=windows*
whitelist.0=*
[serverClass:WindowsServers:app:BaseWindowsInputsApp]
restartSplunkd=1
And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.
Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.