Getting Data In

How to do a mass deployment and configuration of Splunk forwarders to machines running MAC OS X with several users each?

SimonSK
Engager

Hi!

So I`m doing mass deployment of the Splunk forwarder to many Macs via Casper Suite and I also wanted to take into account custom settings and several users per Mac. I have not found any good guides in regards to this scenario.

So far I have done the following, but I would like to do things different/better if possible:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
-Then the script writes the inputs.conf (same location as previous) to include Logs under the ~/User folder, so I can monitor system.log and the user logs of my choice
- Then the script starts Splunk with the following flags: splunk start --accept-license --auto-ports --no-prompt --answer-yes

So far, so good. But now - I have to handle multiple users per Mac.

Finally, I have been testing with a .plist LaunchAgent that triggers a script, which in turn would write the LoggedInUser logs to inputs.conf (because we might have more than one user on each Mac) and start splunk silently. The problem with this is that it starts Spunk as the logged in user and that user cannot read system.log because of permissions.

I also tried a LaunchDaemon that starts Splunk as Root, so that I can monitor the system.log. Problem then is I can't write the LoggedInUser to inputs.conf (because no one is logged in yet), and even if I then add another LaunchAgent that writes the LoggedInUser to inputs.conf, that would not take effect until the next restart (or until the Splunk process is started manually by Root, which is not going to happen on the client macs).

So yeah, any help would be greatly appreciated in regards to mass deployment of the Splunk forwarder - I would be happy to share more as well if anyone is interested.

Hope to hear from someone 🙂

1 Solution

SimonSK
Engager

Okey, so I figured this out and thought I`d share in case someone else has this scenario.

I overcomplicated things and did it the wrong way around.

The correct and easy way would be this:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
- Then the script starts Splunk with the following flags: sudo splunk start --accept-license --auto-ports --no-prompt --answer-yes

-Then you have to find a way to start splunk when the machine starts as root. We use a loginscript from our Casper server, but a LaunchDaemon would work fine.
-The rest of the configuration is done via the Splunk servers, I don`t have the information as to how that is done - it´s another department at my company who does this. But what happens is that they push out this file to the clients via splunk: /splunkforwarder/etc/apps/YOUR OWN NAME/default/inputs.conf.
Here, the index, logs and more information can be found.

Hope this helps someone at least, I spent a lot of time trying this out.

View solution in original post

SimonSK
Engager

Okey, so I figured this out and thought I`d share in case someone else has this scenario.

I overcomplicated things and did it the wrong way around.

The correct and easy way would be this:
- I use the .tar file and copy/install Splunk forwarder to /Applications, set the logged in user as owner of the files (chmod + chown)
- Via script, I make and write to deployment client.conf (under /splunkforwarder/etc/system/local/) the Target-broker and targetUri
- Then the script starts Splunk with the following flags: sudo splunk start --accept-license --auto-ports --no-prompt --answer-yes

-Then you have to find a way to start splunk when the machine starts as root. We use a loginscript from our Casper server, but a LaunchDaemon would work fine.
-The rest of the configuration is done via the Splunk servers, I don`t have the information as to how that is done - it´s another department at my company who does this. But what happens is that they push out this file to the clients via splunk: /splunkforwarder/etc/apps/YOUR OWN NAME/default/inputs.conf.
Here, the index, logs and more information can be found.

Hope this helps someone at least, I spent a lot of time trying this out.

srajubd
Loves-to-Learn Lots

Hi SimonSK

 

Can I get help on this install on macOS? Are you using any MDM like JAMF? How actually you are installing? Are you using .dmg or .tar

0 Karma

srajubd
Loves-to-Learn Lots

Can I get work flow and also script that way i can implement as test in our environment. 

0 Karma

bgstein
Path Finder

This was super helpful. Thank you for taking the time to write it up.

Two additions to what you've written to be aware of:
First:

./splunk enable boot-start places a file in LaunchAgents - people may want the file in LaunchDaemons.

http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/ConfigureSplunktostartatboottime#Enable_boot...
Second:

Splunk has a way to seed the client password:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/User-seedconf

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...