Getting Data In

Can deployment server upgrade universal forwarders yet?

nls21
Explorer

Reading and reading and all I see is using the deployment server to update forwarders with apps and such.

Is it still not possible (as read from older posts) to upgrade numerous universal forwarders to latest Splunk versions/revisions from the deployment server? Really? How are folks doing this? Are they writing their own scripts? Anyone want to share?

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

No it is not possible. My advice is still the same: to use whatever normal installation/systems management tools you have to install and upgrade forwarders, and to use Deployment Server for day-to-day forwarder configuration changes. See here or in various other posts for scripts and suggestions.

View solution in original post

mauricio_sandov
Explorer

** Modified powershell to skip if 7.2.4 already exists on system**
** Modified .bat file to only run once at service start**
** This allows you to install and not loop Uninstall-Install of same UF update**

I used this process to remove older version of windows UF and upgrade using app deployment. Main piece was batch file in /bin/scripts directory that allowed me to run what ever I needed. You need to create app with files and directories listed below on deployment server, create a server class to add your old UF clients and push out using normal app deployment process. Make sure to remove clients from server class once they are upgraded. This process removed older version 7.2.x, and installs 7.2.4. It also removes old and adds new Deployment Server configuration to UF client that your upgrading. My Deployment server then pushed out any default apps my windows systems needed. Its not pretty but it works and you can improve it. I had to modify directory names so careful that scripts match what you create.

App location: /opt/splunk/etc/deployment-apps/windows_ufupdate7.24/
App contents and folders you have to create
/local/app.conf (blank file needed for Deployment server)
/bin/splunkforwarder-7.2.4-8a94541dcfac-x64-release.msi (downloaded from splunk.com)
/bin/SplunkFullInstall.ps1 (example below)
/bin/CopyConfigs.ps1 (adds app to UF client with the Deployment server IP. Example below)
/bin/scripts/installer.bat (example below)
/bin/configfiles/deploymentclient/local/app.conf (blank file needed for Deployment server)
/bin/configfiles/deploymentclient/local/deploymentclient.conf (example below)
/default/inputs.conf (needed to execute windows bat file. Example below)

/bin/SplunkFullInstall.ps1

$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE }

#### SPLUNK 7.2.4
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$regkeypath= "HKCR:\Installer\Products\F63C3FFC168A520418A4FF5C143E9D11" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Write-Host "The value does exist" 
 Start-Sleep -s 25
 exit} 
Else {Write-Host "The value does not exist"}

$regkeypath= "HKCR:\Installer\Products\562176F993A508143953E0C4217E1283" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\562176F993A508143953E0C4217E1283 -Recurse} 
Else {Write-Host "The value does not exist"}

$regkeypath= "HKCR:\Installer\Products\D8F76B23C2EAA254395F55894752D642" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\D8F76B23C2EAA254395F55894752D642 -Recurse} 
Else {Write-Host "The value does not exist"}

$regkeypath= "HKCR:\Installer\Products\E698A50C4F506B941A19CF921B63B218" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\E698A50C4F506B941A19CF921B63B218 -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 6.3.0
$regkeypath= "HKCR:\Installer\Products\C042F9A1CE44AA641A538C56CC9204B1" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\C042F9A1CE44AA641A538C56CC9204B1 -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 6.6.1
$regkeypath= "HKCR:\Installer\Products\38133C98C7FC0BA42863BB91DCE49DC1" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\38133C98C7FC0BA42863BB91DCE49DC1 -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 6.5.2
$regkeypath= "HKCR:\Installer\Products\D9D0997EE40A2E545AF41AA604E579C7" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\D9D0997EE40A2E545AF41AA604E579C7 -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 6.5.3
$regkeypath= "HKCR:\Installer\Products\727981DA44845B34E97839CA1F7880DA" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\727981DA44845B34E97839CA1F7880DA -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 6.6.3
$regkeypath= "HKCR:\Installer\Products\E6FA769F0A983BE4CABE3C4CB5E03FEE" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\E6FA769F0A983BE4CABE3C4CB5E03FEE -Recurse} 
Else {Write-Host "The value does not exist"}

#### SPLUNK 7.0.1
$regkeypath= "HKCR:\Installer\Products\4E3F41596A1605B488E5410B7345105E" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\4E3F41596A1605B488E5410B7345105E -Recurse} 
Else {Write-Host "The value does not exist"}

# SPLUNK 7.2.1
$regkeypath= "HKCR:\Installer\Products\1B38171A5C10C7C47A5E38811D50D4C8" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\1B38171A5C10C7C47A5E38811D50D4C8 -Recurse} 
Else {Write-Host "The value does not exist"}

# SPLUNK 7.2.3
$regkeypath= "HKCR:\Installer\Products\ADD0EC2EB45B100469D56B727798A671" 
$value1 = (Get-Item $regkeypath) -eq $null 
If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\ADD0EC2EB45B100469D56B727798A671 -Recurse} 
Else {Write-Host "The value does not exist"}

stop-service SplunkForwarder
stop-service Splunkd
Start-Sleep -s 15
Remove-Item 'C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf' -Force -ErrorAction SilentlyContinue

Invoke-Command -scriptblock { msiexec.exe /q ALLUSERS=2 /m MSIASQSH /i "$PSScriptRoot\splunkforwarder-7.2.4-8a94541dcfac-x64-release.msi" AGREETOLICENSE=Yes SPLUNKPASSWORD=buddy-holly-weezer }
Start-Sleep -s 15
Copy-Item "$PSScriptRoot\ConfigFiles\*" $env:programfiles\SplunkUniversalForwarder\etc\apps -Force -Recurse
Start-Sleep -s 30
restart-service SplunkForwarder
Start-Sleep -s 30
start-service SplunkForwarder

Batch file
*/bin/scripts/installer.bat *

@ECHO OFF
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& "$env:programfiles\SplunkUniversalForwarder\etc\apps\utsa_windows_uf_7.2.4\bin\SplunkFullInstall.ps1""

inputs.conf tells app to launch batch file
/default/inputs.conf

[script://.\bin\scripts\installer.bat]
interval = -1

** point client to Deployment Server**
** /bin/configfiles/deploymentclient/local/deploymentclient.conf **

    [deployment-client]

    [target-broker:deploymentServer]
    # Change the targetUri
    targetUri = 10.5.5.155:8089

** update Deployment server on client**
/bin/CopyConfigs.ps1

   $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
    $testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
    if ($testadmin -eq $false) {
    Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
    exit $LASTEXITCODE }

    Copy-Item "$PSScriptRoot\ConfigFiles\*" $env:programfiles\SplunkUniversalForwarder\etc\apps -Force -Recurse
    Start-Sleep -s 10
    restart-service SplunkForwarder

sogeniusio
Path Finder

I got this to work using python. For some reason this didn't work using shell. Check it out here: https://git.sogenius.io/pub/upgrade_splunk_uf-python - Use at your own risk!

gkanapathy
Splunk Employee
Splunk Employee

No it is not possible. My advice is still the same: to use whatever normal installation/systems management tools you have to install and upgrade forwarders, and to use Deployment Server for day-to-day forwarder configuration changes. See here or in various other posts for scripts and suggestions.

splunker9999
Path Finder

Is Splunk addressed this issue?Can Deployment Server upgrade universal forwarders yet?

lycollicott
Motivator

No, it cannot. The deployment server only deploys apps, but UFs. Sorry.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...