I'm installing Splunk on an Enterprise Linux 6.1 machine.
The Install on Linux instructions talk about a RPM, but don't explain where the RPM is.
A Yum/RPM repository would be helpful in terms of installation, updates and would speed up the deployment of security updates
This would also help with security updates. In our case Splunk doesn't always notify us that there is a security update available and Splunk security updates are not announced via email. If Splunk provided yum & apt repos, then checking for security update could be as simple as
yum check-update splunk or
yum upgrade splunk.
Does Splunk.com provide a Yum/RPM repository for the Splunk application?
Do you have an update on this please?
It would save my team manual work every month at least (more for urgent security updates).
The lack of public repos is particularly frustrating for Debian/Ubuntu clients. This is because I will have to set up my own signed repository just to distribute packages which were already signed by Splunk.
It is not possible to just drop the Splunk-signed packages on my apt-mirror, I have to sign the repository itself (or used unsigned packages!)
At least Red-Hat based OSes only require basic repo (and it can be imported in to Satellite 6 easily)
Fantastic! But don't be teasing us, now 😉
Soon as you have info I'd love to hear it -- of course!
We now have security announcements available via RSS feed. I'll mention this in the linked question also. See https://www.splunk.com/page/securityportal
Edit: I see that was already covered there.
Sure but that's still treating Splunk content like a special snowflake. I just want to sync the damn rpms into our enterprise the way all the others happen. If even stuck-in-the-1990s Dell can manage, so can Splunk.
One of the reasons that I heard why Splunk does not have a public repo is that as a part of the Terms of Service under Exhibit A, line 17:
Customer certifies that Customer is not on any of the relevant U.S. government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons or Entity List.
This is done by accepting the terms of service when a user logs in and downloads the software.
The solution is that users can create their own Yum Repo's and update them using the cURL command listed in the Download page for each version. Once you've setup your own private repo, then you can run
yum install splunkforwarder -y and install your forwarder.
Here are the steps to create your own Custom YUM repo:
yum install createrepo
wget -O SPLUNK.RPM https://www.splunk.com/bin/splunk/DownloadActivityServlet?mv /path/to/rpm /splunkrepo
Create Repo config file
Example Repo File
name=Splunk Software Repository
This is done by accepting the terms of service when a user logs in and downloads the software. The solution is that users can create their own Yum [Repos] and update them using the cURL command listed in the Download page for each version. Once you've setup your own private repo, then you can run yum install splunkforwarder -y and install your forwarder.
It's trivially done by ensuring customers use their own custom credentials to access the repo, embedded in the yum repo URL. This also provides excellent logging which I'm sure will be the next insurmountable micro-obstacle.
I'm not sure that the repo has to be publicly available to meet the purposes of the requester of this feature.
There are companies (RedHat and EnterpriseDB, for example) that offer authenticated YUM repositories that are not publicly accessible, but still allow their customers to download and manage their packages via YUM.
In that vein, here is a github repo that has a script that I wrote to perform a nightly download of the splunk-enterprise and splunk-universal-forwarder packages and generate a local YUM repo from them.
I've been using it for a while, and it seems to get the job done in my case.
Note: You'll have to give it a splunk.com login for it to be able to download the packages in an authenticated manner.
The problem with the method you suggest is that you must supply all of the version information for the forwarder when doing the wget command, and there doesn't seem a simple way to automate providing this information. For example, to get the current version of the forwarder (as of this writing), you need to execute:
wget -O splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'
How do you automate the "version=8.0.6" and "filename=splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm" values to be able to execute the "wget" command?
Oh, that makes me feel better, I'm sure that Exhibit A, line 17 has done wonders in protecting us from Enemies of the State. I understand accepting it once, but on every update? On the Forwarders? Please. I bet you heard that from one of their lawyers... 😉
On a lighter note:
We have a private repo, and it works great for everything including the forwarder updates. The problem is that when the Splunk process restarts, it prompts for the license agreement and asks if you want to migrate the database. Yes, I'm aware of the switches we can use, but this can't be automated without some kind of post-processing (script). The upshot is, if we drop a Splunk update in our repos, and folks run 'yum update' across their enclave -- their Splunk instances don't restart -- and the only indication to me is that I notice I haven't seen a bunch of systems reporting in after after a while. With NIST 800-171 breathing down our necks (end-point log monitoring), that's not good.
Are you implying that you've done this, and you don't have that problem?
I've done this using automation tools such as Chef, Puppet and Ansible. I also use the tgz files instead of RPM's, more of a preference on my part. That is a more scalable solution since I can control the deployment and the orchestration of the update. I agree that a yum / apt repo would be nice to have and I've asked for it too.
Additionally, here is a blog post to help with using a repo server and installing splunk binaries: http://www.rfaircloth.com/2017/03/07/automating-splunk-deployment-redhatcentos-poor-mans-edition/
cp splunkforwarder*.rpm /opt/splunkrepo
Here's where that post skips over the part we want, but does add some flash and finish we can figure ourselves.
This only solves a minor part of the problem. People asking for a YUM repo mostly aren't asking because they want to install updates direct from a YUM repository, but because we want an easy sync source for our own pre-existing internal YUM repos that takes the human factor out of checking the main site by hand for updated packages, downloading them and re-publishing them internally. With Satellite or Pulp, all that would happen automatically based on pre-defined sync and publish rules.
Splunk is currently the ONLY vendor I have to do this archaic nonsense by hand with still. Everything else is synced automatically overnight into Satellite and pre-defined rules specify the workflow from there.
But, don't you feel safer knowing that Exhibit A, line 17 is protecting Freedom, Heros, and Apple Pie? 😉
This is a really old thread, but I wonder if there is an update. It would Splunk would have put a repo up by now.
No change, AFAIK.
Splunk engineers tell me the assumption is that people are using 3rd party products (i.e. Puppet). That's fine if you have staff to support that. But we're just a "medium" sized organization so I'm facing about 1,000 systems (and separate sys-admin groups all doing their own thing) to update manually (i.e. no Puppet). All because Splunk lawyers feel it's necessary for us to acknowledge the freakin' license agreement after every update. After seeing enough of their presentations with that retarded first slide they always put up ("Disclaimer...!") I'm not surprised. Do I sound bitter about this? 'cause I am...
Any update on this topic since it was asked at Nov '11?
I am also going to deploy Splunk forwarder on many servers and was wondering how to ensure it is being kept up to date with security updates etc?
Why not support the native Linux software management tools?
This could be a great way to keep eg forwarders up to date if not the search head/indexers.
No, Splunk does not provide a yum/RPM repository. (No deb/apt repository either.) You can select your version of choice from: http://www.splunk.com/download (registration needed to download after you've selected your version).
On the target page for the selected download version, you will also find a link the to the MD5 for that version if you wish to verify the download, along with instructions for getting the file using wget instead of your browser.