All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

XenDesktop MCS Golden Image oddities

bakkerem
New Member
‎09-02-2014 03:00 AM

Hi, fellow Splunkers,

being fairly new to splunk I'm a bit puzzled by the behaviour of the universal forwarder in our XenDesktop (7.5) environment.

Before sealing the golden image I prepped the forwarder according to the information in this forum, after stopping and disabling the universalforwarder service, using ./splunk clone-prep-clear-config (this service is re-enabled by means of a GPO on the target OU the cloned AD-computerobjects are spawned in).

Yesterday I ran a first test of this mechanism, and what strikes me, is that :

  1. all clone-VDI's are using the same GUID.
  2. all events are indexed, using the hostname of the master VDI that was used to create the clones. The computername-field of the indexed log-entries contains the true name of the VDI though.
  3. the clone-VDI's all have a connected forwarder (as can be confirmed when using netstat -o on the deployment server)
  4. the master VDI does not have a forwarder connection in 'forwarder management' - as could be expected

What is going on here ? Is the creation of the GUID partly based on fixed parameters that -shortly after spawning a computer from a snapshot- will not have been randomized ? What is wrong with the content of the host-field, when the computername-field is adjusted ?

When I rerun the command to remove the guid from the universalforwarder on the master-VDI, no feedback is given. I interpret that being a conformation the info was stripped already.

Thanks in advance,

Erik Bakker
the Netherlands.

0 Karma
Reply

JutManGraham
New Member
‎08-12-2015 08:26 AM

How i configured my systems for MCS/PVS

  1. Run the Slunk service as a Domain services account.
  2. Make the service account a administrator in you XenDesktop environment
  3. Take OWNER of the Splunk directory on the server/workstation with local administrators group
  4. Ensure the local administrators group has full rights to the folder structure, or allow inheritance.
  5. Make the service account a local administrator on your server, give it the Login As a Service right
  6. Run Set-ExecutionPolicy -ExecutionPolicy unrestricted -force on your MCS or PVS gold image to allow the .ps1 scripts
  7. Create a startup task
  8. Set system environment variable SPLUNK_HOME C:(install folder)

Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start
,How i configured my systems for MCS/PVS

  1. Run the Slunk service as a Domain services account.
  2. Make the service account a administrator in you XenDesktop environment
  3. Take OWNER of the Splunk directory on the server/workstation with local administrators group
  4. Ensure the local administrators group has full rights to the folder structure, or allow inheritance.
  5. Make the service account a local administrator on your server, give it the Login As a Service right
  6. Run Set-ExecutionPolicy -ExecutionPolicy unrestricted -force on your MCS or PVS gold image to allow the .ps1 scripts
  7. Create a startup task
  8. Set system environment variable SPLUNK_HOME C:(install folder)

Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start

0 Karma
Reply

bakkerem
New Member
‎09-04-2014 12:15 AM

Apparently this was caused by not using the correct snapshot as a basis for the MCS clones. In the used snapshot the removal of the GUID did not take place.

Erik Bakker
the Netherlands

0 Karma
Reply

goudduif
New Member
‎08-10-2016 02:41 AM

We run the following on the Gold Image

• Stop the service SplunkForwarder (but leave the start type at automatic)
• Open an administrative command prompt
• Run the command: C:\Program Files\SplunkUniversalForwarder\bin\splunk clone-prep-clear-config
• Prepare the machine for cloning as necessary, and we didn't reboot them

This works fine, each server is correctly visible on Splunk.
We boot all our servers each weekend.
After the reboot we receive around 10GB, and all other day's around 2 GB
Why did he collect each week all data again?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...