Thursday, July 28, 2016

Splunk Universal forwarder remote install script linux - Splunk Architecture Lab


  
Recently had Splunk Architecture Lab, one of the requirement is to install the Splunk Universal Forwarders(UF) on two linux servers in an automated manner.  There are more than three version of this script available in Splunk base and Splunk answers.
 
Took one of them and tweaked it to suit the lab needs.
 
High Level Steps
  To download the UF from Splunk base. (The instance supports wget, so ensure to get the latest version of the software.)
  To install the software in a silent manner, but will prompt the user for credentials.
  To copy the deploymentclinet.conf file with the deployment server detail and perform a restart
  Then continue the same to other servers.
 
Supporting Files
 
Forwarderlist.txt - List of universal forwarders with ssh
  sample
  user@ipaddress1
  user@ipaddress2
 
DeploymentClient.conf
  [target-broker:deploymentServer]
  targetUri = deploymentserverip:8089
 
The user must have enough permission to copy the file to a tmp directory and then to the /opt/splunk/bin/script directory.
 
######### UF_install.sh Script ##############
 
#!/bin/sh
 
#### forwarderlist.txt contains the IP address of the forwarder to SSH into
 
HOSTS_FILE="/opt/splunk/bin/scripts/forwarderlist.txt"
 
### Download the latest version of the installer from splunk site
 
 
INSTALL_FILE="splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz"
 
DEPLOY_SERVER="deploymentserverip:8089"
PASSWORD="setpassword"
 
### installation steps
REMOTE_SCRIPT="
cd /opt
sudo $WGET_CMD
sudo tar -xzf $INSTALL_FILE
 
sudo useradd -m -r splunk
sudo chown -R splunk:splunk /opt/splunkforwarder
 
### /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll $DEPLOY_SERVER --accept-license --answer-yes --auto-ports --no-prompt  -auth admin:changeme
sudo -u splunk /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme
 
### SCP (copy) the files from Search head into the folder where the user has access to
 
sudo scp -r  /opt/Splunk/bin/scripts/deploymentclient.conf user@$HOSTS_FILE:/home/user/deploymentclient.conf
 
# Change permissions to splunk user
sudo chown -R /home/user/deploymentclient.conf
 
# Then copy the file to appropriate directory
sudo cp -r /home/user/deploymentclient.conf /opt/splunkforwarder/etc/system/local/
 
# once the file in /etc/system/local restart to take effect
sudo -u splunk /opt/splunkforwarder/bin/splunk restart
"
 
### Continue the same for other UF hosts
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$HOSTS_FILE"`; do
  if [ -z "$DST" ]; then
    continue;
  fi
  echo "---------------------------"
  echo "Installing to $DST"
  sudo ssh -t "$DST" "$REMOTE_SCRIPT"
done
echo "---------------------------"
echo "Done"
 
######## end of script ######
Comment below if there is any questions.
 

  
Recently had Splunk Architecture Lab, one of the requirement is to install the Splunk Universal Forwarders(UF) on two linux servers in an automated manner.  There are more than three version of this script available in Splunk base and Splunk answers.

Took one of them and tweaked it to suit the lab needs.

High Level Steps
  To download the UF from Splunk base. (The instance supports wget, so ensure to get the latest version of the software.)
  To install the software in a silent manner, but will prompt the user for credentials.
  To copy the deploymentclinet.conf file with the deployment server detail and perform a restart
  Then continue the same to other servers.

Supporting Files

Forwarderlist.txt - List of universal forwarders with ssh
  sample
  user@ipaddress1
  user@ipaddress2

DeploymentClient.conf
  [target-broker:deploymentServer]
  targetUri = deploymentserverip:8089

The user must have enough permission to copy the file to a tmp directory and then to the /opt/splunk/bin/script directory.

######### UF_install.sh Script ##############

#!/bin/sh

#### forwarderlist.txt contains the IP address of the forwarder to SSH into

HOSTS_FILE="/opt/splunk/bin/scripts/forwarderlist.txt"

### Download the latest version of the installer from splunk site

WGET_CMD="wget -O splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=universalforwarder&filename=splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz&wget=true'"

INSTALL_FILE="splunkforwarder-6.4.2-00f5bb3fa822-Linux-x86_64.tgz"

DEPLOY_SERVER="deploymentserverip:8089"
PASSWORD="setpassword"

### installation steps
REMOTE_SCRIPT="
cd /opt
sudo $WGET_CMD
sudo tar -xzf $INSTALL_FILE

sudo useradd -m -r splunk
sudo chown -R splunk:splunk /opt/splunkforwarder

### /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll $DEPLOY_SERVER --accept-license --answer-yes --auto-ports --no-prompt  -auth admin:changeme
sudo -u splunk /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme

### SCP (copy) the files from Search head into the folder where the user has access to

sudo scp -r  /opt/Splunk/bin/scripts/deploymentclient.conf user@$HOSTS_FILE:/home/user/deploymentclient.conf

# Change permissions to splunk user
sudo chown -R /home/user/deploymentclient.conf

# Then copy the file to appropriate directory
sudo cp -r /home/user/deploymentclient.conf /opt/splunkforwarder/etc/system/local/

# once the file in /etc/system/local restart to take effect
sudo -u splunk /opt/splunkforwarder/bin/splunk restart
"

### Continue the same for other UF hosts
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$HOSTS_FILE"`; do
  if [ -z "$DST" ]; then
    continue;
  fi
  echo "---------------------------"
  echo "Installing to $DST"
  sudo ssh -t "$DST" "$REMOTE_SCRIPT"
done
echo "---------------------------"
echo "Done"

######## end of script ######
Comment below if there is any questions.