Hi!
So I`m doing mass deployment of the Splunk forwarder to many Macs via Casper Suite and I also wanted to take into account custom settings and several users per Mac. I have not found any good guides in regards to this scenario.
So far I have done the following, but I would like to do things different/better if possible:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
-Then the script writes the inputs.conf (same location as previous) to include Logs under the ~/User folder, so I can monitor system.log and the user logs of my choice
- Then the script starts Splunk with the following flags: splunk start --accept-license --auto-ports --no-prompt --answer-yes
So far, so good. But now - I have to handle multiple users per Mac.
Finally, I have been testing with a .plist LaunchAgent that triggers a script, which in turn would write the LoggedInUser logs to inputs.conf (because we might have more than one user on each Mac) and start splunk silently. The problem with this is that it starts Spunk as the logged in user and that user cannot read system.log because of permissions.
I also tried a LaunchDaemon that starts Splunk as Root, so that I can monitor the system.log. Problem then is I can't write the LoggedInUser to inputs.conf (because no one is logged in yet), and even if I then add another LaunchAgent that writes the LoggedInUser to inputs.conf, that would not take effect until the next restart (or until the Splunk process is started manually by Root, which is not going to happen on the client macs).
So yeah, any help would be greatly appreciated in regards to mass deployment of the Splunk forwarder - I would be happy to share more as well if anyone is interested.
Hope to hear from someone 🙂
Okey, so I figured this out and thought I`d share in case someone else has this scenario.
I overcomplicated things and did it the wrong way around.
The correct and easy way would be this:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
- Then the script starts Splunk with the following flags: sudo splunk start --accept-license --auto-ports --no-prompt --answer-yes
-Then you have to find a way to start splunk when the machine starts as root. We use a loginscript from our Casper server, but a LaunchDaemon would work fine.
-The rest of the configuration is done via the Splunk servers, I don`t have the information as to how that is done - it´s another department at my company who does this. But what happens is that they push out this file to the clients via splunk: /splunkforwarder/etc/apps/YOUR OWN NAME/default/inputs.conf.
Here, the index, logs and more information can be found.
Hope this helps someone at least, I spent a lot of time trying this out.
Okey, so I figured this out and thought I`d share in case someone else has this scenario.
I overcomplicated things and did it the wrong way around.
The correct and easy way would be this:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
- Then the script starts Splunk with the following flags: sudo splunk start --accept-license --auto-ports --no-prompt --answer-yes
-Then you have to find a way to start splunk when the machine starts as root. We use a loginscript from our Casper server, but a LaunchDaemon would work fine.
-The rest of the configuration is done via the Splunk servers, I don`t have the information as to how that is done - it´s another department at my company who does this. But what happens is that they push out this file to the clients via splunk: /splunkforwarder/etc/apps/YOUR OWN NAME/default/inputs.conf.
Here, the index, logs and more information can be found.
Hope this helps someone at least, I spent a lot of time trying this out.
Hi SimonSK
Can I get help on this install on macOS? Are you using any MDM like JAMF? How actually you are installing? Are you using .dmg or .tar
Can I get work flow and also script that way i can implement as test in our environment.
This was super helpful. Thank you for taking the time to write it up.
Two additions to what you've written to be aware of:
First:
./splunk enable boot-start places a file in LaunchAgents - people may want the file in LaunchDaemons.
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/ConfigureSplunktostartatboottime#Enable_boot...
Second:
Splunk has a way to seed the client password:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/User-seedconf