Splunk Enterprise

Deploy the Splunk Forwarder via Deployment Server

shocko
Contributor

I'm a a very basic Splunk admin using Splunk Enterprise 8.2.4 with deployment server pushing out our apps/configs to the forwarders. I need to install the agent onto 100 existing Windows 2016/2019 servers. I can easily script up the MSI using MECM or the like but I'm wondering if the Splunk Deployment server can push the agent or if It provides a Powershell script I could hand to my server admins to do same from the target servers? 

Labels (1)
0 Karma
1 Solution

SinghK
Builder

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 

View solution in original post

SinghK
Builder

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 

shocko
Contributor

Much appreciated! Any reason you copy the deployment server config file rather than specifying the deployment server name/port in the MSI parameters? Just curious!

0 Karma

SinghK
Builder

No specific reason. Just my way of doing things.

If you can please upvote this as an answer. Mucho gracias.

SanjayReddy
SplunkTrust
SplunkTrust

Hi @shocko 

Currently we can not use Splunk deployment server to install Splunk UF on remote servers,   it can only used as deplyting apps/configs to exisitng UFS 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...