All Apps and Add-ons

How do you install a heavy forwarder on a Puppet Enterprise Server for use with the Splunk Add-on for for Puppet Enterprise?

New Member

We have an organization requesting to use the TA for Puppet to get their Puppet Enterprise (PE) server logs into our institutional Splunk environment. I read the limited amount of documentation I found here: https://splunkbase.splunk.com/app/3610/ and https://github.com/puppetlabs/SplunkTAforPuppetEnterprise

  1. So to use the Puppet TA does this require the following?
    a) Install Enterprise Splunk on the PE Server.
    b) Install Splunk Puppet TA on the PE Server.
    c) Configure Splunk as a HF (heavy forwarder) on the PE server.
    d) Configure the HF to send the logs its gathered to our institutional Splunk indexer cluster?

  2. Does this require that the HF on the PE server have its own Splunk license for the daily ingest of PE server logs?

  3. Since my organization manages the institutional Splunk infrastructure, but doesn't manage the PE server or have access to it, would this be considered risky or unconventional to have an outside organization running a HF that forwards data into our indexers?

  4. Are there better ways to do this that allow my organization to centrally manage all aspects of getting the PE server logs into Splunk? Perhaps simply setting up a universal forwarder on the PE server?

  5. Other suggestions/recommendations?

0 Karma

Path Finder

Hi @lemmons2

Here are the answers of your questions:

  1. So to use the Puppet TA does this require the following?
    a) Install Enterprise Splunk on the PE Server. No
    b) Install Splunk Puppet TA on the PE Server. No
    c) Configure Splunk as HF (heavy forwarder) on the PE server. No
    d) Configure the HF to send the logs its gathered to our institutional Splunk indexer cluster? Yes

  2. Does this require that the HF on the PE server have its own Splunk license for the daily ingest of PE server logs?
    *Answer *: No there is no requirement to purchase a separate license for HF. You can use the license which is used for Splunk Enterprise.

  3. Since my organization manages the institutional Splunk infrastructure but doesn't manage the PE server or have access to it, would this be considered risky or unconventional to have an outside organization running a HF that forwards data into our indexers?
    *Answer *: You can create a HF in your environment and install Splunk Add-on for Puppet Enterprise on that HF. And configure inputs in that Splunk Add-on. If you already have any HF in your environment then no need to create a new one. You can install Add-on on that HF.

  4. Are there better ways to do this that allows my organization to centrally manage all aspects of getting the PE server logs into Splunk? Perhaps simply setting up a universal forwarder on the PE server?
    Answer: I think you will get the answer to this question from question 3. You cannot implement this use case by the help of universal forwarders.

If you think this helps you then please upvoted this answer.

Thanks,
Bhavik

0 Karma

Champion

i've never used the add-on or app, but looking at that blurb on splunkbase, sounds like you can install this on any heavy forwarder. It doesn't sound like you have to install splunk/hf on the puppet server.

And at a glance, taking a look at the inputs spec file for this app, seems like the inputs allow you to specify the puppet server, meaning it probably would work from a separate hf - assuming the ports are open.

https://github.com/puppetlabs/SplunkTAforPuppetEnterprise/blob/master/README/inputs.conf.spec

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!