Installation

Override system local folder

bcross64
Explorer

I would like to install a hollow shell of Splunk that only has the deployment server configured and then the deployment server passes it its server.conf, ldap.conf, splunk.secret, etc. After the Splunk installation gets all of its information from the deployment server, I should be able to authenticate with LDAP, it should be clustered and it should be able to receive information from all the universal forwarders. I know how to generalize most of the files in question from this post.

Is this dream possible?

Tags (2)
0 Karma
1 Solution

lukejadamec
Super Champion

What I have done to handle things that the Deployment Server was not designed to do is to write a script that moves files and sets permissions. The problem is that the script execution needs to be controlled. For my uses, having the script run once at Splunk startup ensures that permissions and files are set correctly – not necessary but not hurtful.
In your case, you’ll need to consider how to manage script execution.

Here is how it works from a high level:

Create a deployment app folder that contains the files you need to control on the remote server.

Create a script that moves those files etc.. in the bin folder of that deployment app folder.

Create an inputs.conf that executes that script in the local folder of that deployment app folder.

Create the serverclass etc for the Splunk instance you want to manage.

Put the deployment app folder in the deployment apps directory of the Deployment Server.

Create a deploymentclient.conf file on the remote Splunk server.

One thing I'm not sure about is why you want to do it this way. Splunk Inc already has a proven clustering solution. The post you're referring to is for managing forwarders.

View solution in original post

lukejadamec
Super Champion

What I have done to handle things that the Deployment Server was not designed to do is to write a script that moves files and sets permissions. The problem is that the script execution needs to be controlled. For my uses, having the script run once at Splunk startup ensures that permissions and files are set correctly – not necessary but not hurtful.
In your case, you’ll need to consider how to manage script execution.

Here is how it works from a high level:

Create a deployment app folder that contains the files you need to control on the remote server.

Create a script that moves those files etc.. in the bin folder of that deployment app folder.

Create an inputs.conf that executes that script in the local folder of that deployment app folder.

Create the serverclass etc for the Splunk instance you want to manage.

Put the deployment app folder in the deployment apps directory of the Deployment Server.

Create a deploymentclient.conf file on the remote Splunk server.

One thing I'm not sure about is why you want to do it this way. Splunk Inc already has a proven clustering solution. The post you're referring to is for managing forwarders.

bcross64
Explorer

That is what I thought needed to happen. I have already scripted the server install with Powershell, so adding a few lines to move some files around is no big deal.

I don't understand your comment about clustering. I'm not suggesting replacing the master for distributing conf files to peers. I would just like the other nitpicky pieces (SSL for Splunk web, adding the peer to the cluster by editing the conf file, enabling LDAP authentication) to be taken care of by the install script.

Also, the post I referred to was reffering to a server.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...