Getting Data In

How to install Splunk Universal Forwarder on multiple servers?

kiran331
Builder

Hi

Whats the best way to install Splunk Universal Forwarder on more than 100 servers without installing on each one separately?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

In addition to lukejadamec's answer, you could also use the sysinternals tool psexec. You can search for something like "use psexec to install exe remotely" and get a lot of hits on how specifically to use it, and on the download page is instructions and examples.

A few notes, then the process to do this.

You may have to run psexec in elevated mode which requires the -s switch (search "psexec elevated" for more).

You'll probably want to copy the install to the destination folder to run it, I don't recall if I ever had luck running it without it being local to the target machine, but that's easy enough in a batch file or from a command prompt. Command prompts are fun!

I really recommended that you set up a deployment server and point your clients to it. This entire install will require that.

So, first step is to get your silent/quiet install command line sorted out. Refer to the docs on installing the UF via command line on Windows for more options. You'll want to AGREETOLICENSE=Yes and DEPLOYMENT_SERVER="<host:port>" at least. Once you've set those and installed it, the client will talk to the deployment server you set up and then you can set up a set of default inputs and stuff for them all. So, to get this working, manually - via like RDP to a server or two (or on your own desktop) - run from a command prompt the following (and similar) to get the install sorted out. It will end up something like

msiexec.exe /i splunkuniversalforwarder_x64.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Once you get that working on a machine or two, note it 'cause we'll need it later.

Then make a list of the names of your machines. Copy it out of your inventory spreadsheet or whatever. You'll want it in a text file, one entry per line. Call it "allservers.txt". Make another list of just a couple you can pound on and test with, call that "testservers.txt". Let's save all those, plus the msi, in a folder c:\temp. BTW I'm calling them servers. Substitute "clients" in your head if you'd like, doesn't really matter as long as they're accessible over the network and run Windows. Oh, I hope they run Windows. This article isn't gonna help a whole lot if they don't. I digress, though.

So, from a command prompt you'll want something like the following.

c:\users\myusername > cd \temp
c:\temp\ > for /f %i in (testservers.txt) do mkdir \\%i\c$\temp
c:\temp\ > for /f %i in (testservers.txt) do xcopy universalforwarder.msi \\%i\c$\temp
c:\temp\ > psexec @testservers.txt -s msiexec.exe /i c:\temp\universalforwarder.msi blah blah blah 

I can do some proper testing tomorrow at work (I have a few boxes I can do an upgrade on like this to test with, easily enough). I'm pretty sure the first few are fine, it'll be fiddling with psexec at the end that may take some trial and error and searching.

Anyway, the first command changes to the directory where the fun is! (I'll bet you can hardly contain yourself, learning all this fun command line stuff from an old-schooler like me! ) I'm assuming you have a c:\temp to CD into. If you don't, you can create that the new fangled way you young'uns do now, pointing and clicking and wearing out your elbows. Or you can type "mkdir c:\temp" then try the cd \temp again (and wear out your fingers instead).

The next uses a for loop reading, one by one, the lines out of the file into a variable called %i, then running a command "mkdir \%i\c$\temp". This will create a c:\temp on each "name" (aka "server name"), complaining but keeping going if it finds one already. You could make that a more unique directory if you'd like to avoid this (and make cleanup easier later, too). If you do so, just stay consistent with the name in later steps. Type "for /?" for more help on for.

Third line does much like the second, only copying the msi file into that newly created folder. Special note that you'll have to substitute your filename in place of universalforwarder.msi if it differs. And it should. 🙂

The fourth should launch the msi installer via the psexec command using the command you figured out initially. A lot of caveats here, this will take some testing. Also note different syntax to use the contents of the file, since it's a different command. You may need a username and password, which are documented on how to use at the systinternals site. You may need to fully path msiexec - it's highly likely it's c:\windows\system32\msiexec.exe. There's a lot more little thingies in here that may catch you up, drop a line if that happens, or do some googling - most problems with this should be resolvable with your favorite search engine. Even Bing may work for that. If I need correctin', that's good, just comment on this with the perfect syntax so it helps everyone, OK?

The first few lines, as long as they worked the first time through, do not need to be done again if you have to try and retry and try again the psexec line. But let me tell you, once you get that working it'll be all magic and cookies after that!

So, once you have that working on those test machines, simply redo those steps except using the allservers.txt file instead of testservers.txt. You'll be old hat by that time, so this won't be a problem.

Disclaimer: If this explodes your network, kicks your puppy, makes your servers catch fire or causes paychecks to not go out this week, none of this is my fault.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

In addition to lukejadamec's answer, you could also use the sysinternals tool psexec. You can search for something like "use psexec to install exe remotely" and get a lot of hits on how specifically to use it, and on the download page is instructions and examples.

A few notes, then the process to do this.

You may have to run psexec in elevated mode which requires the -s switch (search "psexec elevated" for more).

You'll probably want to copy the install to the destination folder to run it, I don't recall if I ever had luck running it without it being local to the target machine, but that's easy enough in a batch file or from a command prompt. Command prompts are fun!

I really recommended that you set up a deployment server and point your clients to it. This entire install will require that.

So, first step is to get your silent/quiet install command line sorted out. Refer to the docs on installing the UF via command line on Windows for more options. You'll want to AGREETOLICENSE=Yes and DEPLOYMENT_SERVER="<host:port>" at least. Once you've set those and installed it, the client will talk to the deployment server you set up and then you can set up a set of default inputs and stuff for them all. So, to get this working, manually - via like RDP to a server or two (or on your own desktop) - run from a command prompt the following (and similar) to get the install sorted out. It will end up something like

msiexec.exe /i splunkuniversalforwarder_x64.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

Once you get that working on a machine or two, note it 'cause we'll need it later.

Then make a list of the names of your machines. Copy it out of your inventory spreadsheet or whatever. You'll want it in a text file, one entry per line. Call it "allservers.txt". Make another list of just a couple you can pound on and test with, call that "testservers.txt". Let's save all those, plus the msi, in a folder c:\temp. BTW I'm calling them servers. Substitute "clients" in your head if you'd like, doesn't really matter as long as they're accessible over the network and run Windows. Oh, I hope they run Windows. This article isn't gonna help a whole lot if they don't. I digress, though.

So, from a command prompt you'll want something like the following.

c:\users\myusername > cd \temp
c:\temp\ > for /f %i in (testservers.txt) do mkdir \\%i\c$\temp
c:\temp\ > for /f %i in (testservers.txt) do xcopy universalforwarder.msi \\%i\c$\temp
c:\temp\ > psexec @testservers.txt -s msiexec.exe /i c:\temp\universalforwarder.msi blah blah blah 

I can do some proper testing tomorrow at work (I have a few boxes I can do an upgrade on like this to test with, easily enough). I'm pretty sure the first few are fine, it'll be fiddling with psexec at the end that may take some trial and error and searching.

Anyway, the first command changes to the directory where the fun is! (I'll bet you can hardly contain yourself, learning all this fun command line stuff from an old-schooler like me! ) I'm assuming you have a c:\temp to CD into. If you don't, you can create that the new fangled way you young'uns do now, pointing and clicking and wearing out your elbows. Or you can type "mkdir c:\temp" then try the cd \temp again (and wear out your fingers instead).

The next uses a for loop reading, one by one, the lines out of the file into a variable called %i, then running a command "mkdir \%i\c$\temp". This will create a c:\temp on each "name" (aka "server name"), complaining but keeping going if it finds one already. You could make that a more unique directory if you'd like to avoid this (and make cleanup easier later, too). If you do so, just stay consistent with the name in later steps. Type "for /?" for more help on for.

Third line does much like the second, only copying the msi file into that newly created folder. Special note that you'll have to substitute your filename in place of universalforwarder.msi if it differs. And it should. 🙂

The fourth should launch the msi installer via the psexec command using the command you figured out initially. A lot of caveats here, this will take some testing. Also note different syntax to use the contents of the file, since it's a different command. You may need a username and password, which are documented on how to use at the systinternals site. You may need to fully path msiexec - it's highly likely it's c:\windows\system32\msiexec.exe. There's a lot more little thingies in here that may catch you up, drop a line if that happens, or do some googling - most problems with this should be resolvable with your favorite search engine. Even Bing may work for that. If I need correctin', that's good, just comment on this with the perfect syntax so it helps everyone, OK?

The first few lines, as long as they worked the first time through, do not need to be done again if you have to try and retry and try again the psexec line. But let me tell you, once you get that working it'll be all magic and cookies after that!

So, once you have that working on those test machines, simply redo those steps except using the allservers.txt file instead of testservers.txt. You'll be old hat by that time, so this won't be a problem.

Disclaimer: If this explodes your network, kicks your puppy, makes your servers catch fire or causes paychecks to not go out this week, none of this is my fault.

splunkstudy2022
Observer

Hi, 

 

How to do the same thing on Linux servers

0 Karma

nick405060
Motivator

This deserves more upvotes.

0 Karma

lukejadamec
Super Champion

Use Active Directory to preconfigure the targets and install the forwarders with the appropriate flags, and configure a deployment server to handle the post installation configuration for the different system types.
You will need to read this doc to configure it for your environment:
http://docs.splunk.com/Documentation/Forwarder/6.5.0/Forwarder/InstallaWindowsuniversalforwarderfrom...

0 Karma

kiran331
Builder

Is there a way to install it without Group policy?

0 Karma

lukejadamec
Super Champion

It can probably be done with powershell, but if it was me I would pull the "Domain Support Lever". Give them the forwarder installer, and the commandline command to install it, list of systems, and ask them to install it (cc the enterprise admin).
You should construct the commandline install on a test system to ensure that it connects to the indexer(s) and the deployment server. Once you have all of them connected to the index and the deployment server then the real fun begins.
If you do not have active directory (group policy) support, then there is really no other option than to install each one manually because of the system variables.

0 Karma

lukejadamec
Super Champion

Windows or Linux?

0 Karma

kiran331
Builder

Its on Windows

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...