Here is another method on how to install the splunk universal forwarder (linux).
I looked into many puppet modules, but none actually solved the auto-accept license problem for me in an acceptable manner (like, not messing with init scripts or the like). So I hacked my own module. Our setup includes puppet-dashboard and an internal package repository in which the splunk forwarder packages are checked in, so we can install them with apt/yum.
I also added an option to remove the splunk forwarder from the servers in case it is no longer needed.
The installation is controlled via the variable 'splunk_uf_enable' which is set in puppet-dashboard. I guess the module is short enough to be easily adapted to work without puppet dashboard variables.
init.pp
class splunk_uf {
if $::splunk_uf_enabled == 0 {
notify { 'Splunk universal forwarder disabled in dashboard, undeploying installation and removing startup links. Configuration files will be preserved.': }
include splunk_uf::undeploy
}
if $::splunk_uf_enabled == 1 {
notify { 'Splunk universal forwarder enabled in dashboard, deploying installation and adding startup links.': }
include splunk_uf::deploy
}
}
deploy.pp
class splunk_uf::deploy {
notify { 'Will deploy, configure and enable splunk forwarder.': }
include splunk_uf::config
include splunk_uf::service
package { "splunkforwarder":
ensure => "present",
require => Exec["aptitude_update"],
before => Class['splunk_uf::config', 'splunk_uf::service'],
}
}
class splunk_uf::deploy {
notify { 'Will deploy, configure and enable splunk forwarder.': }
include splunk_uf::config
include splunk_uf::service
package { "splunkforwarder":
ensure => "present",
require => Exec["aptitude_update"],
before => Class['splunk_uf::config', 'splunk_uf::service'],
}
}
class splunk_uf::config {
file { "/opt/splunkforwarder/etc/system/local/outputs.conf":
content => template("splunk_uf/opt/splunkforwarder/etc/system/local/outputs.conf.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Service["splunk"],
require => Class['splunk_uf::deploy'],
}
}
class splunk_uf::service {
exec { "splunk_uf_enable_boot_start_accept_license":
command => "/opt/splunkforwarder/bin/splunk enable boot-start --accept-license --no-prompt --answer-yes",
onlyif => "/opt/splunkforwarder/bin/splunk enable boot-start --no-prompt 2>&1 | egrep -i '.*not.*accepted.*'",
path => "/opt/splunk/bin:/usr/bin:/usr/sbin:/bin",
logoutput => true,
}
service { "splunk":
enable => true,
ensure => "running",
hasrestart => true,
hasstatus => true,
require => Class['splunk_uf::config'],
}
}
class splunk_uf::config {
file { "/opt/splunkforwarder/etc/system/local/outputs.conf":
content => template("splunk_uf/opt/splunkforwarder/etc/system/local/outputs.conf.erb"),
mode => "0660",
owner => "root",
group => "root",
notify => Service["splunk"],
require => Class['splunk_uf::deploy'],
}
}
class splunk_uf::service {
exec { "splunk_uf_enable_boot_start_accept_license":
command => "/opt/splunkforwarder/bin/splunk enable boot-start --accept-license --no-prompt --answer-yes",
onlyif => /opt/splunkforwarder/bin/splunk enable boot-start --no-prompt 2>&1 | egrep -i '.*not.*accepted.*'",
path => "/opt/splunk/bin:/usr/bin:/usr/sbin:/bin",
logoutput => true,
}
service { "splunk":
enable => true,
ensure => "running",
hasrestart => true,
hasstatus => true,
require => Class['splunk_uf::config'],
}
}
undeploy.pp
class splunk_uf::undeploy {
notify { 'Will undeploy and disable splunk forwarder. Config will be preserved': }
service { "splunk":
enable => false,
ensure => "stopped",
hasrestart => true,
hasstatus => true,
}
package { "splunkforwarder":
ensure => "absent",
}
}
Minimal template: outputs.conf.erb
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server=splunk:9997
... View more