none
Deployment Splunk Universal Forwarder RRS feed

  • Question

  • Hello,

    I am creating an application to install Splunk Universal Forwarder


    the bat file is:

    ::splunk installer
    reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
    if %OS%==32BIT GOTO Run32
    if %OS%==64BIT GOTO Run64
    :Run64
    msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" LOGON_USERNAME=AD\xxxxxxxx LOGON_PASSWORD=yyyyyyyy 
    WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 
    PERFMON=CPU,MEMORY,NETWORK,DISKSPACE 
    AGREETOLICENSE=Yes DEPLOYMENT_SERVER="lopsplkap02:8089 " /quiet
    Set MSIError=%Errorlevel%
    GOTO End
    :Run32
    msiexec /i "%~dp0splunkforwarder-7.0.3-fa31da744b51-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="lopsplkap02:8089 " /quiet
    Set MSIError=%Errorlevel%
    :End
    exit /B %MSIError%
    
    ::splunkforwarder-7.0.3-fa31da744b51-x64-release
    ::LOGON_USERNAME="<domain\username>" LOGON_PASSWORD="<pass>"
    ::
    ::WINEVENTLOG_APP_ENABLE=1|0
    ::WINEVENTLOG_SEC_ENABLE=1|0
    ::WINEVENTLOG_SYS_ENABLE=1|0
    ::WINEVENTLOG_FWD_ENABLE=1|0
    ::WINEVENTLOG_SET_ENABLE=1|0
    ::
    ::PERFMON=<input_type>,<input_type>,...
    cpu,memory, network,diskspace
    ::

    Any log to see where it is pending?

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL

    • Edited by Felyjos Wednesday, September 11, 2019 9:43 PM
    Wednesday, September 11, 2019 8:50 PM

Answers

  • Hello,

    Working on a response got on SPLUNK community...

    My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.
    
    For example:
    
    serverclass.conf
    
     [serverClass:WindowsServers]
     machineTypesFilter=windows*
     whitelist.0=*
     [serverClass:WindowsServers:app:BaseWindowsInputsApp]
     restartSplunkd=1
    And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.
    
    Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.

    Thanks to the splunkmonkey...

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL

    • Marked as answer by Felyjos Friday, September 13, 2019 9:45 PM
    Thursday, September 12, 2019 5:08 PM

All replies

  • Why is it pending for content? I am thinking it is pending because the switches " AGREETOLICENSE=YES" for example did not get pass properly... How to correct this?

    Thanks,
    Dom


    Security / System Center Configuration Manager Current Branch / SQL


    • Edited by Felyjos Wednesday, September 11, 2019 10:01 PM
    Wednesday, September 11, 2019 9:44 PM
  • Hello,

    Working on a response got on SPLUNK community...

    My preference has always been to perform the base installation of the UF on the clients with the deployment server defined (as your seem to be doing), and then as opposed to placing any other configs directly on the server, push all of your inputs and configs by way of your deployment server. You can define serverclasses based on OS, and push base windows inputs out to all of your windows servers.
    
    For example:
    
    serverclass.conf
    
     [serverClass:WindowsServers]
     machineTypesFilter=windows*
     whitelist.0=*
     [serverClass:WindowsServers:app:BaseWindowsInputsApp]
     restartSplunkd=1
    And then define your inputs.conf and wmi.conf or other config files in the BaseWindowsInputsApp, to be pushed out by the Deployment Server as the UFs phone home after initial installation.
    
    Doing it this way allows you to more easily change the configs on the fly as needed without having to touch them again with SCOM.

    Thanks to the splunkmonkey...

    Thanks,

    Dom


    Security / System Center Configuration Manager Current Branch / SQL

    • Marked as answer by Felyjos Friday, September 13, 2019 9:45 PM
    Thursday, September 12, 2019 5:08 PM