Getting Data In

How do we load a Splunk universal forwarder (UF) on a Citrix nonpersistent system citrix image?

bstimely
New Member

We have a farm of Citrix servers that are built from a Gold image. The systems act as desktops for users. Each night the system is rebooted and it comes up like the day the Gold image was built. All of the Windows logs have been redirected to an E: drive that is persistent. I can't load Splunk on the E drive because it is not accessible when the Gold Image was built. I can't load Splunk on the gold image because it starts everyday like a brand new install and the guid changes each day plus we get all the logs back to the date the gold image was built.

I think we have 3 choices but don't know how to do any of them.

1) Load Splunk on E drive and figure out how to tell the gold image to start Splunk from E: at boot.
2) Load Splunk on C drive and tell Splunk to only forward events form boot time forward.
3) Load Splunk on C: but tell Splunk to put all the temporary files, fish bucket, or anything else that needs to change, on E:

Anyone have any suggestions? Even a list of all the Splunk UF file locations and registry entries would be a big help.

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Is this a PVS or MCS environment? You can install Splunk on your gold image -> http://docs.splunk.com/Documentation/Splunk/latest/Admin/PutSplunkontosystemimages

You can use a symbolic link to route checkpoint and fish bucket data to your persistent drive -> https://answers.splunk.com/answers/679623/how-to-change-modinputs-checkpoints-location.html#answer-6...

View solution in original post

jconger
Splunk Employee
Splunk Employee

Is this a PVS or MCS environment? You can install Splunk on your gold image -> http://docs.splunk.com/Documentation/Splunk/latest/Admin/PutSplunkontosystemimages

You can use a symbolic link to route checkpoint and fish bucket data to your persistent drive -> https://answers.splunk.com/answers/679623/how-to-change-modinputs-checkpoints-location.html#answer-6...

Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...