How to install splunk in 1000 EC2 instances

VijaySrrie · ‎12-03-2021

Hi,

We have 1000 EC2 instances, how to install forwarders in all instances all at one go?

If we use script, from where we need to push the forwarder config to all 1000 instances?

Roy_9 · ‎12-04-2021

I would recommend an ansible script to automate this installation.

isoutamo · ‎12-03-2021

Hi

this depends what kind of instances those are and especially how those are created and managed. Options are e.g. use suitable commands in your cloudformation definition or terraform scripts or use e.g. ansible or other to to install and update those. Then @richgalloway propose use DS to manage configurations or ansible or other tool which your enterprise is already used.
As you see there isn’t only one solution or even best practices (except automate it).
r. Ismo

richgalloway · ‎12-03-2021

Consider installing the UF on one instance and the then cloning that instance 999 times. See https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Makeauniversalforwarderpartofahostim...for details.

If you already have all of the instances defined, then it may be best to run a script that installs the UF remotely on each instance. A good place to run the script is on your Deployment Server. If you don't have a DS, then create one - it will make managing so many forwarders much easier. See https://community.splunk.com/t5/Installation/Forwarder-Installation-Script/m-p/50690 and https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Installanixuniversalforwarderremotel...for sample scripts.

---
If this reply helps you, Karma would be appreciated.

How to install splunk in 1000 EC2 instances

other

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?