Getting Data In
Highlighted

Define python binary for universal forwarder 5.0.5?

Explorer

I'm working in an environment where we have the universal forwarder (5.0.5 - old I know) installed on all our systems to collect custom application logs that we can't get via remote syslog.

I have a situation where I need the "Splunk" version of python 2.7 available to an app used by the forwarder (OSSEC). I've been able to recreate the 2.7 install by compiling python 2.7, installing it under /opt/splunk/, and then copying over the ~/site-packages/* files from one of my indexers. But, I have one remaining problem where the forwarder still keeps calling the system version of python.

Is there a way to define the path to python, or otherwise tell the universal forwarder to look for python under /opt/splunk/bin/ vs /usr/bin ?

[if there's already a doc on this I'd gladly appreciate a link!!]

Thanks!

0 Karma
Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Splunk Employee
Splunk Employee

Would it be possible to change that one host to a full Splunk (heavy forwarder) instance? Admittedly, I haven't had much luck trying to tweak the included Python, or to provide a replacement for it as you describe.

0 Karma
Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Explorer

Possibly, it'd be a change across the board but then, so is adding an additional install of python 😃 I think I need to investigate the differences between the universal and heavy forwarders.

0 Karma
Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Splunk Employee
Splunk Employee

The light forwarder includes Python, you might consider that. See Types of forwarders in the Forwarding Data manual.

Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Splunk Employee
Splunk Employee

You should probably just set the $PATH before you start Splunk up to make sure your python is there before the system one. Suggestions to install the LWF or heavy forwarder because they come with python are probably a bad idea, since you're looking to use a specific version with your own packages, not the version that happens to come with Splunk and includes the Splunk packages (and which you may not want to update). Part of the reason the UF exists is so you can use whatever version you like.

Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Splunk Employee
Splunk Employee

Ah, thanks, maybe I misread the question...I thought that riodutchie specifically wanted the version of Python that Splunk Enterprise does include.

0 Karma
Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Explorer

I like the idea of setting the PATH - can I do that in the ~/etc/splunk-launch.conf file or is it just setting the path in the /etc/init.d/splunk startup file?

0 Karma
Highlighted

Re: Define python binary for universal forwarder 5.0.5?

Explorer

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the SplunkTANIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

View solution in original post