Getting Data In

Can we install a universal forwarder on a 2016 Windows server with SCCM?

jdomin30
New Member

Is it possible to get a UF installed on a 2016 Windows server with sccm or do we have to use a chef recipe?

0 Karma

Lazarix
Communicator

I have done this with SCCM so yes it is very possible.

Splunk Package with:
"This package contains source files". Put said source files on a network location and point the data source to the source folder.
Put the following in this folder:
splunkforwarder--x64-release.msi
install_splunk.bat
org_all_deploymentclient (this is a folder)

inside org_all_deploymentclient, put the following structure:

org_all_deploymentclient

--- local
---- app.conf
---- deploymentclient.conf
---- outputs.conf

inside app.conf:

[install]
state = enabled

[package]
check_for_updates = false

[ui]
is_visible = false
is_manageable = false

inside deploymentclient.conf:

[deployment-client]
clientName=$HOSTNAME

[target-broker:deploymentServer]
# Change the targetUri
targetUri = <fqdn to your deploymentserver>

inside outputs.conf:

[tcpout:server]
server=<fqdn to indexer>:<port>

Once you have this Package created, create a Program:
Name: SplunkUF (name it whatever you want)
command line: install_splunk.bat
Run: hidden
After running: no action required
Program can run: whether or not a user is logged on

inside install_splunk.bat:

msiexec.exe /i "splunkforwarder-<splunkversion>-x64-release.msi" LAUNCHSPLUNK=0 AGREETOLICENSE=Yes INSTALLDIR="%ProgramFiles%\SplunkUniversalForwarder" SERVICESTARTTYPE=auto /quiet
xcopy "org_all_deploymentclient\*.conf" "%ProgramFiles%\SplunkUniversalForwarder\etc\system\" /s /e /i /y
for /F "tokens=3 delims=: " %%H in ('sc query "SplunkForwarder" ^| findstr "        STATE"') do (
  if /I "%%H" NEQ "RUNNING" (
   net start "SplunkForwarder"
  )
)

the second part of the script which starts the service if it isn't running is useful for upgrades, in case the service doesn't start.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...