Getting Data In

Linux deployment of Universal Forwarder issue around not getting prompted to create user

Explorer

Hi - I am trying to deploy the universal forwarder to Linux. We have Altiris to deploy both the script and the package and a service account on the machines we want to deploy to. So I don't need a complete end-to-end script that I've been seeing all of the splunk answers board when researching this.

What my issue with this script at the moment is that no matter how I structure it, it always prompts to create a user yet the "edit user" command is in the splunk documentation to configure the user.

Any ideas or a workaround to this? I could be understanding something wrong so feel free to re-work this if you think I am approaching it incorrectly.

#!/bin/sh

tar xvzf /tmp/splunkforwarder-8.0.0-1357bef0a7f6-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk edit user admin -password fakepassword -auth admin:fakepassword --accept-license --answer-yes
/opt/splunkforwarder/bin/splunk enable boot-start -user serviceaccount
/opt/splunkforwarder/bin/splunk set deploy-poll "172.16.182.76:8089"
0 Karma
1 Solution

Communicator

The user will not be created until you first start the forwarder (the password file is not part of the tar), so it can’t edit it as the first command (older versions of Splunk just created an admin user in the passwd file by default, now it prompts for a user name when it's started). You can just do enable boot-start first instead of editing the user which will create the password file, or you can create the password file with the admin user in it yourself with either a real password hash or just disabled or something similar in the hash field if you don’t plan on using the admin user. Will check when I get to a computer.

View solution in original post

0 Karma

Communicator

The user will not be created until you first start the forwarder (the password file is not part of the tar), so it can’t edit it as the first command (older versions of Splunk just created an admin user in the passwd file by default, now it prompts for a user name when it's started). You can just do enable boot-start first instead of editing the user which will create the password file, or you can create the password file with the admin user in it yourself with either a real password hash or just disabled or something similar in the hash field if you don’t plan on using the admin user. Will check when I get to a computer.

View solution in original post

0 Karma

Communicator

Ok, tried this on one of my hosts. This works:

/opt/splunkforwarder/bin/splunk --accept-license --no-prompt --answer-yes enable boot-start -user serviceaccount
/opt/splunkforwarder/bin/splunk add user admin -password NEWPASSWD -role admin
/opt/splunkforwarder/bin/splunk set deploy-poll "172.16.182.76:8089"

And you can also do it by creating the passwd file manually. If you create it BEFORE you run any splunk commands, splunk will start up without asking for admin user creation. (post edited with correction from below)

Explorer

Hi vliggio,

I appreciate your help. For me, this one still prompted to accept the license and create an administrator username.

I see your saying that creating the passwd file before will skip the prompt, is this the only way or should this script also be skipping that prompt. I also don't think that would stop the license agreement from displaying.

Any ideas? Hoping for completely seamless. Which was surprisingly on windows due to the msi.

0 Karma

Communicator

Oops, try this:

/opt/splunkforwarder/bin/splunk --accept-license --no-prompt --answer-yes enable boot-start -user serviceaccount

(order in that one matters)

0 Karma

Explorer

Hi vliggio,

This worked like a charm! Thanks so much for helping out.
If you re-post as an answer I will accept.

🙂

0 Karma

Communicator

I edited the original comment, so you can accept this answer. Glad it worked out for you!

0 Karma

Builder

Where is it prompting you to create a user, when you run splunk edit or when you run splunk start after the 6 lines you are showing?

Have you tried using the no-prompt flag? If you do that and Splunk doesn't start after its initial run you may have to move your password edit line after the initial splunk start and then issue a splunk restart.

0 Karma

Communicator

You have to add user, not edit user. You can't edit what doesn't exist.

Builder

Thats an important distinction. Glad you got it working!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!