All Apps and Add-ons

XenDesktop MCS Golden Image oddities

bakkerem
New Member

Hi, fellow Splunkers,

being fairly new to splunk I'm a bit puzzled by the behaviour of the universal forwarder in our XenDesktop (7.5) environment.

Before sealing the golden image I prepped the forwarder according to the information in this forum, after stopping and disabling the universalforwarder service, using ./splunk clone-prep-clear-config (this service is re-enabled by means of a GPO on the target OU the cloned AD-computerobjects are spawned in).

Yesterday I ran a first test of this mechanism, and what strikes me, is that :

  1. all clone-VDI's are using the same GUID.
  2. all events are indexed, using the hostname of the master VDI that was used to create the clones. The computername-field of the indexed log-entries contains the true name of the VDI though.
  3. the clone-VDI's all have a connected forwarder (as can be confirmed when using netstat -o on the deployment server)
  4. the master VDI does not have a forwarder connection in 'forwarder management' - as could be expected

What is going on here ? Is the creation of the GUID partly based on fixed parameters that -shortly after spawning a computer from a snapshot- will not have been randomized ? What is wrong with the content of the host-field, when the computername-field is adjusted ?

When I rerun the command to remove the guid from the universalforwarder on the master-VDI, no feedback is given. I interpret that being a conformation the info was stripped already.

Thanks in advance,

Erik Bakker
the Netherlands.

0 Karma

JutManGraham
New Member

How i configured my systems for MCS/PVS

  1. Run the Slunk service as a Domain services account.
  2. Make the service account a administrator in you XenDesktop environment
  3. Take OWNER of the Splunk directory on the server/workstation with local administrators group
  4. Ensure the local administrators group has full rights to the folder structure, or allow inheritance.
  5. Make the service account a local administrator on your server, give it the Login As a Service right
  6. Run Set-ExecutionPolicy -ExecutionPolicy unrestricted -force on your MCS or PVS gold image to allow the .ps1 scripts
  7. Create a startup task
  8. Set system environment variable SPLUNK_HOME C:(install folder)

Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start
,How i configured my systems for MCS/PVS

  1. Run the Slunk service as a Domain services account.
  2. Make the service account a administrator in you XenDesktop environment
  3. Take OWNER of the Splunk directory on the server/workstation with local administrators group
  4. Ensure the local administrators group has full rights to the folder structure, or allow inheritance.
  5. Make the service account a local administrator on your server, give it the Login As a Service right
  6. Run Set-ExecutionPolicy -ExecutionPolicy unrestricted -force on your MCS or PVS gold image to allow the .ps1 scripts
  7. Create a startup task
  8. Set system environment variable SPLUNK_HOME C:(install folder)

Start task, executes 1 minutes after system startup
C:
CD C:(install folder)\bin
C:(install folder)\bin\splunk.exe stop
splunkd rest POST /services/server/settings/settings host=%COMPUTERNAME%
splunkd rest POST /services/server/settings/settings serverName=%COMPUTERNAME%
C:(install folder)\bin\splunk.exe start

0 Karma

bakkerem
New Member

Apparently this was caused by not using the correct snapshot as a basis for the MCS clones. In the used snapshot the removal of the GUID did not take place.

Erik Bakker
the Netherlands

0 Karma

goudduif
New Member

We run the following on the Gold Image

• Stop the service SplunkForwarder (but leave the start type at automatic)
• Open an administrative command prompt
• Run the command: C:\Program Files\SplunkUniversalForwarder\bin\splunk clone-prep-clear-config
• Prepare the machine for cloning as necessary, and we didn't reboot them

This works fine, each server is correctly visible on Splunk.
We boot all our servers each weekend.
After the reboot we receive around 10GB, and all other day's around 2 GB
Why did he collect each week all data again?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...