Getting Data In

How to use BigFix to install and maintain the Universal Forwarder?

bkcarter
Path Finder

I am attempting to use BigFix to install the Universal Forwarder on machines within a multi-tenant environment.
I use a single deployment server, and can manually install the UF on a machine and point it to the deployment server, and all works fine if I use the Run as Administrator option.

When I attempt to deploy using BigFix to a Windows machine, it appears to attempt the install, but never (re)starts the Splunkd service, and does not actually perform the installation.

In fact, it acts very similar to attempting to install manually without the Run as Administrator option.

My command line for running the install in BigFix is as follows:

msiexec.exe /i "\path\to\installer\splunkforwarder-x64.msi" DEPLOYMENT_SERVER="server.domain.com:8089  AGREETOLICENSE=Yes  /quiet

Has anyone else done this successfully? Am I missing something? I DO want the UF to be running as Local System account, so I am not trying to do anything special in that regard. I am simply trying to install and maintain the UF binaries with BigFix. I am not interested in creating an "image", as these machines are already built and running.

Thanks!

0 Karma

sfefcu
Path Finder

It looks like you are missing the RECEIVING_INDEXER flag, which is required.

RECEIVING_INDEXER="<server:port>" 

Take a look at the following link for the requirements:
https://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/InstallaWindowsuniversalforwarderrem...

Good Luck!

0 Karma

sfefcu
Path Finder

Also, all command line options for the Universal Forwarder installation can be found here:

http://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/InstallaWindowsuniversalforwarderfrom...

0 Karma

bkcarter
Path Finder

I wondered about that, but since these UFs don't point directly at an indexer, but rather an intermediate forwarder, which should I provide the address to? The settings will be overridden as soon as the deployment server delivers it's set of apps to the UF so does it make a difference which address I give it? Does the install actually verify connection to the indexer before it complete?

Thanks!

0 Karma

sfefcu
Path Finder

Sorry for the long delay in my answer. You would point it to the intermediate forwarder, but as you say the instant it reports in to the deployment server, it will receive the new set of instructions that the deployment server has for it. It does not "verify" connectivity to the indexer in order to install the UF. The UF installation should complete even if the indexer is not responding.

0 Karma

bkcarter
Path Finder

Great! I still have to try this. I have been involved in other projects, but it helps to know it can be done. I will try it soon and let you know how it goes.

Thanks!

0 Karma

maciep
Champion

probably just a typo when posting here but you're missing a closing quote on the DEPLOYMET_SERVER property.

I've pushed Splunk with SCCM but don't include the DS property (we copy an app over with the ds settings). I would suggest maybe adding a /lv "path to a log file" to the msi command to verbosely log the install. If the log doesn't show up, then big fix may not be launching it at all. If it does, maybe they'll be a hint in there as to why the install doesn't complete.

Also, you could check the event log now to see if the msi failed for any particular reason, but not sure how helpful that would be on its own without the actual msi logs.

0 Karma

bkcarter
Path Finder

Unfortunately it WAS just a typo when posting here. Oh that it would have been that simple 🙂 Thanks for the suggestion on the logs. I will give it a try and see what it says, and share my results.

Thanks!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!