How to use BigFix to install and maintain the Univ...

bkcarter · ‎12-02-2016

I am attempting to use BigFix to install the Universal Forwarder on machines within a multi-tenant environment.
I use a single deployment server, and can manually install the UF on a machine and point it to the deployment server, and all works fine if I use the Run as Administrator option.

When I attempt to deploy using BigFix to a Windows machine, it appears to attempt the install, but never (re)starts the Splunkd service, and does not actually perform the installation.

In fact, it acts very similar to attempting to install manually without the Run as Administrator option.

My command line for running the install in BigFix is as follows:

msiexec.exe /i "\path\to\installer\splunkforwarder-x64.msi" DEPLOYMENT_SERVER="server.domain.com:8089  AGREETOLICENSE=Yes  /quiet

Has anyone else done this successfully? Am I missing something? I DO want the UF to be running as Local System account, so I am not trying to do anything special in that regard. I am simply trying to install and maintain the UF binaries with BigFix. I am not interested in creating an "image", as these machines are already built and running.

Thanks!

sfefcu · ‎04-14-2017

It looks like you are missing the RECEIVING_INDEXER flag, which is required.

RECEIVING_INDEXER="<server:port>"

Take a look at the following link for the requirements:
https://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/InstallaWindowsuniversalforwarderrem...

Good Luck!

sfefcu · ‎04-14-2017

Also, all command line options for the Universal Forwarder installation can be found here:

http://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/InstallaWindowsuniversalforwarderfrom...

bkcarter · ‎04-14-2017

I wondered about that, but since these UFs don't point directly at an indexer, but rather an intermediate forwarder, which should I provide the address to? The settings will be overridden as soon as the deployment server delivers it's set of apps to the UF so does it make a difference which address I give it? Does the install actually verify connection to the indexer before it complete?

Thanks!

sfefcu · ‎04-27-2017

Sorry for the long delay in my answer. You would point it to the intermediate forwarder, but as you say the instant it reports in to the deployment server, it will receive the new set of instructions that the deployment server has for it. It does not "verify" connectivity to the indexer in order to install the UF. The UF installation should complete even if the indexer is not responding.

bkcarter · ‎04-27-2017

Great! I still have to try this. I have been involved in other projects, but it helps to know it can be done. I will try it soon and let you know how it goes.

Thanks!

maciep · ‎12-02-2016

probably just a typo when posting here but you're missing a closing quote on the DEPLOYMET_SERVER property.

I've pushed Splunk with SCCM but don't include the DS property (we copy an app over with the ds settings). I would suggest maybe adding a /lv "path to a log file" to the msi command to verbosely log the install. If the log doesn't show up, then big fix may not be launching it at all. If it does, maybe they'll be a hint in there as to why the install doesn't complete.

Also, you could check the event log now to see if the msi failed for any particular reason, but not sure how helpful that would be on its own without the actual msi logs.

bkcarter · ‎12-05-2016

Unfortunately it WAS just a typo when posting here. Oh that it would have been that simple 🙂 Thanks for the suggestion on the logs. I will give it a try and see what it says, and share my results.

Thanks!

How to use BigFix to install and maintain the Universal Forwarder?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM