Getting Data In
Highlighted

Deployment of Universal Forwarder to Apple Mac fleet

Explorer

Our company operates a fleet of Apple Macs. We would like to automate the deployment and configuration of the Universal Forwarder agent to these Macs via our MDM platform, but there is very little information provided by Splunk on how to automatically configure the MacOS Universal Forwarder to communicate with our Splunk infrastructure. Given the size of the Mac fleet we ideally do not wish to have a technician install and configure the Universal Forwarder on every machine manually.

The only documentation we've been able to locate is what is posted on this Splunk web page: "docs.splunk.com/Documentation/Forwarder/8.0.0/Forwarder/Installanixuniversalforwarder#InstalltheuniversalforwarderonMacOS_X" - which unfortunately does not provide any guidance on automatically applying the custom configuration settings during the install.

For the MSI (Windows) version of the Universal Forward installer there are a number of parameters available, such as 'DEPLOYMENT_SERVER', 'AGREETOLICENSE', 'SPLUNKUSERNAME' and 'SPLUNKPASSWORD' (ref: "docs.splunk.com/Documentation/Forwarder/latest/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline"). Does anyone know if these parameters are also available for the MacOS version of the Universal Forwarder installer ?

If anyone has experience with deploying the Universal Forwarder to a large Mac fleet we'd be keen to hear how you've automated that process. If indeed it is possible to do so...

0 Karma
Highlighted

Re: Deployment of Universal Forwarder to Apple Mac fleet

Builder

I did not have previous experience deployment UF to large Mac fleet, it seems there is a lack documentation on Splunk for Mac. I found this document and maybe it can help you...so please check this link -> https://www.reddit.com/r/Splunk/comments/9aypa5/mac_osx_universal_forwarder_installation_for_mass/

https://gitlab.com/Macfanatic/ansible-splunkForwarder

0 Karma
Highlighted

Re: Deployment of Universal Forwarder to Apple Mac fleet

Esteemed Legend

NOTE REGARDING INSTALLER SCRIPT BELOW: You just run the script and if no errors, then you are done. Splunk will immediately phone-home to the Deployment Server and download the Splunk configuration files that are appropriate for it on that server.

SPLUNK UF INSTALLER SCRIPT FOR NIX
These are a few things that you might need to change:
0: YOU MUST change the Your.IPV4.Address.Here.
1: It assumes that you have the splunkforwarder*.tgz file in /tmp/. If you do not, change that line accordingly.
2: It assumes that you are installing in /opt/, as in /opt/splunkforwarder/bin/splunk.
3: It assumes that you are running the installer as root and that you will be running splunk as root so that you can access all security-related files. If you are not, be sure to uncomment and adjust the next-to-last line accordingly (to change ownership of the files to the appropriate user, which it lists as splunk but might be something different). If running as user other than root be sure to add -user splunk (or other appropriate user) to the enable boot-start line.

4: It generates a random password which is deliberately not recorded; if you need to login (which should never be necessary), just force a new password.

#!/bin/sh
# NOTE: script assumes there is exactly ONE splunkforwarder*.tgz package already present in /tmp/splunkforwarder*.tgz
clear;
set -x;

cd /opt/;export SPLUNK_HOME=/opt/splunkforwarder
tar xvf /tmp/splunkforwarder*.tgz
cd ./splunkforwarder/

# Generate Deployment Client app
mkdir -p ${SPLUNK_HOME}/etc/apps/vertex_all_deploymentclient/local/
echo"[deployment-client]
phoneHomeIntervalInSecs = 60

[target-broker:deploymentServer]
targetUri = Your.IPV4.Address.Here:8089" > ${SPLUNK_HOME}/etc/apps/vertex_all_deploymentclient/local/deploymentclient.conf

# Splunk First-Time-Run (FTR)
${SPLUNK_HOME}/bin/splunk start splunkd --accept-license --answer-yes --no-prompt --gen-and-print-passwd

# NOTE: This part MUST BE RUN AS root (or sudo)!
# NOTE: If running splunk as non-root, add "-user splunk" to the argument list of "enable boot-start"
sudo ${SPLUNK_HOME}/bin/splunk enable boot-start -systemd-managed 0
sudo systemctl daemon-reload

# Ownership probably does not need to be changed because
# probably script is being run as correct user which may be root or splunk or other.
# sudo chown -R splunk: ${SPLUNK_HOME}
sudo service splunk status
Highlighted

Re: Deployment of Universal Forwarder to Apple Mac fleet

New Member

So to run the script on my mac, I must have the .tgz file in the tmp folder correct? So how do I get this .tgz file in there? Do I have to create a pkg file with the .tgz file in place?

Thanks

0 Karma
Highlighted

Re: Deployment of Universal Forwarder to Apple Mac fleet

New Member

Can I use the splunkforward*.pkg to make this script work for Macs?

0 Karma