Getting Data In

Linux deployment of Universal Forwarder issue around not getting prompted to create user

clozach
Path Finder

Hi - I am trying to deploy the universal forwarder to Linux. We have Altiris to deploy both the script and the package and a service account on the machines we want to deploy to. So I don't need a complete end-to-end script that I've been seeing all of the splunk answers board when researching this.

What my issue with this script at the moment is that no matter how I structure it, it always prompts to create a user yet the "edit user" command is in the splunk documentation to configure the user.

Any ideas or a workaround to this? I could be understanding something wrong so feel free to re-work this if you think I am approaching it incorrectly.

#!/bin/sh

tar xvzf /tmp/splunkforwarder-8.0.0-1357bef0a7f6-Linux-x86_64.tgz -C /opt
/opt/splunkforwarder/bin/splunk edit user admin -password fakepassword -auth admin:fakepassword --accept-license --answer-yes
/opt/splunkforwarder/bin/splunk enable boot-start -user serviceaccount
/opt/splunkforwarder/bin/splunk set deploy-poll "172.16.182.76:8089"
0 Karma
1 Solution

vliggio
Communicator

The user will not be created until you first start the forwarder (the password file is not part of the tar), so it can’t edit it as the first command (older versions of Splunk just created an admin user in the passwd file by default, now it prompts for a user name when it's started). You can just do enable boot-start first instead of editing the user which will create the password file, or you can create the password file with the admin user in it yourself with either a real password hash or just disabled or something similar in the hash field if you don’t plan on using the admin user. Will check when I get to a computer.

View solution in original post

0 Karma

vliggio
Communicator

The user will not be created until you first start the forwarder (the password file is not part of the tar), so it can’t edit it as the first command (older versions of Splunk just created an admin user in the passwd file by default, now it prompts for a user name when it's started). You can just do enable boot-start first instead of editing the user which will create the password file, or you can create the password file with the admin user in it yourself with either a real password hash or just disabled or something similar in the hash field if you don’t plan on using the admin user. Will check when I get to a computer.

0 Karma

vliggio
Communicator

Ok, tried this on one of my hosts. This works:

/opt/splunkforwarder/bin/splunk --accept-license --no-prompt --answer-yes enable boot-start -user serviceaccount
/opt/splunkforwarder/bin/splunk add user admin -password NEWPASSWD -role admin
/opt/splunkforwarder/bin/splunk set deploy-poll "172.16.182.76:8089"

And you can also do it by creating the passwd file manually. If you create it BEFORE you run any splunk commands, splunk will start up without asking for admin user creation. (post edited with correction from below)

clozach
Path Finder

Hi vliggio,

I appreciate your help. For me, this one still prompted to accept the license and create an administrator username.

I see your saying that creating the passwd file before will skip the prompt, is this the only way or should this script also be skipping that prompt. I also don't think that would stop the license agreement from displaying.

Any ideas? Hoping for completely seamless. Which was surprisingly on windows due to the msi.

0 Karma

vliggio
Communicator

Oops, try this:

/opt/splunkforwarder/bin/splunk --accept-license --no-prompt --answer-yes enable boot-start -user serviceaccount

(order in that one matters)

0 Karma

clozach
Path Finder

Hi vliggio,

This worked like a charm! Thanks so much for helping out.
If you re-post as an answer I will accept.

🙂

0 Karma

vliggio
Communicator

I edited the original comment, so you can accept this answer. Glad it worked out for you!

0 Karma

dflodstrom
Builder

Where is it prompting you to create a user, when you run splunk edit or when you run splunk start after the 6 lines you are showing?

Have you tried using the no-prompt flag? If you do that and Splunk doesn't start after its initial run you may have to move your password edit line after the initial splunk start and then issue a splunk restart.

0 Karma

vliggio
Communicator

You have to add user, not edit user. You can't edit what doesn't exist.

dflodstrom
Builder

Thats an important distinction. Glad you got it working!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...