Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Installing universal forwarder on a gold image

brianmhs
New Member
‎01-10-2022 09:02 AM

Hello!

I'm trying to make the splunk forwarder part of my gold image template for windows servers. 

Right now, I have a script that installs the forwarder using vmware customization once the VM is cloned from it's template. I would instead like to install the forwarder on the gold image itself and get rid of the script.

I am using directions from a splunk document. The 3rd section titled "Clone and restore the image" does not make sense to me, it seems to be saying clone the same image 2 or 3 times. 

  1. Restart the machine and clone it with your favorite imaging utility.
  2. After cloning the image, use the imaging utility to restore it into another physical or virtual machine.
  3. Run the cloned image. Splunk services start automatically.
  4. Use the CLI to restart Splunk Enterprise to remove the cloneprep information:

Step 1 - ok so I have cloned my gold image into another machine (that I would think can be used for prod)

Step 2- Why do I need to restore the cloned VM to another machine?

Step 3 - ok

Step 4 - This is pretty inconvenient, this makes me have to either manually do something, or script it which I'm trying not to do.

This may be terminology confusion on my part, but is there not a way to completely configure the forwarder on the gold image, and when I clone it using vmware, it just comes up and works?

https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Integrateauniversalforwarderontoasystemimag...

 

 

 

Labels (1)
Labels
0 Karma
Reply

SinghK
Builder
‎01-10-2022 09:33 AM

For the 4th step you will have to do that as when you start making image or template it keeps the info like servername etc in config it needs to be cleaned out clean prep config needs to be done and I can send you the script as s well for same l but that I can do tomorrow I will need to check it, created that long ago and it worked just fine. Do let me know.. this the most imp step or you face issues later.

0 Karma
Reply

SinghK
Builder
‎01-10-2022 09:30 AM

For the 4th step you will have to do that as when you start making image or template it keeps the info like servername etc in config it needs to be cleaned out clean prep config needs to be done and I can send you the script as s well for same l but that I can do tomorrow I will need to check it, created that long ago and it worked just fine. Do let me know..

0 Karma
Reply

brianmhs
New Member
‎01-10-2022 10:07 AM

 

Does step # 4 (splunk restart) need to be done on the gold image itself, or on the new VM that is created from the template?

 

0 Karma
Reply

SinghK
Builder
‎01-10-2022 08:32 PM

It has to be done on VM's. You can try keeping the template boxes offline and run the script on them may be you will have to use batch script there but it's always easier to fix vm's. 

0 Karma
Reply

brianmhs
New Member
‎01-11-2022 04:58 AM

I ran a test by doing all the steps except for the final step 4 (splunk restart from cmd line). The newly created VM is sending events to the collector, and my searches work ok. So I'm curious what type of issue is caused by not running that final reboot to get rid of the \$SPLUNKHOME\cloneprep file?

 

0 Karma
Reply

SinghK
Builder
‎01-11-2022 05:05 AM

That final reboot will happen either now or after patching on servers so it going to happen and then it will either stop reporting or report in with image name..

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...