Splunk Enterprise

How to deal with unattended universal forwarder upgrade ?

Arjan1
New Member

Hi, I'm in the middle of testing deployment of the UF for a new setup and I started with 9.0.1, deploying it with ansible from a local yum repository as the initial push. (that' s the gist of it, bit more complex infrastructure behind it but not really relevant)

But now 9.1.1 came out which was pointed out to me due to a security alert so I updated the package on our repository, hit 'yum update'  on one of my test servers, and this broke the UF.

Apparently it needs to be started manually once with '--accept-license --answer-yes --no-prompt'  to complete the upgrade and accept the license .. again .. ?

Is there a clever way of dealing with this so it just works after upgrading the rpm ? Short of modifying the rpm's spec file so it does some starting and stopping while the rpm is being upgraded.

Manually doing this in case there happens to be an update is just not an option due to the number of hosts, our regular updates run unattended with basically just a 'yum/dnf update -y'

Modifying the systemd file so it just starts with the required parameters does not appear be working with the '_internal_launch_under_systemd' , replacing that with the old 'start etc' makes the UF not work with systemd anymore.
RHEL9 is going to forego the init.d folder I think so using older more flexible sysV scripts is not an option either.

Any sort of manual intervention when there happens to be a new version is highly undesirable.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...