Install a *nix universal forwarder remotely with a static configuration
You can use scripts or management tools such as yum
or puppet
to install many *nix universal forwarders remotely.
For information on how to install and configure a single universal forwarder on *nix operating systems, see Install a nix universal forwarder.
Install a *nix universal forwarder with a static configuration
1. Download the universal forwarder software for your platform.
2. Install the universal forwarder on a test machine, as described in Install a nix universal forwarder.
3. Test and tune the configuration.
4. Create a script wrapper for the installation and configuration commands.
5. Run the script on representative target hosts to verify that it works with all required command shells.
6. Execute the script against the desired set of hosts.
Create and execute the universal forwarder installation wrapper script
After you validate your installation and configuration process by testing a fully configured universal forwarder, incorporate the process into a script.
Script requirements
Place the installation package or tar file in a network location accessible by the target machines. You can either set this up so that the script pushes the file over to each target host, or you can place the file in a generally accessible location, such as an NFS mount.
The script is responsible for reporting errors.
Sample script
The following is a sample script you can use as a starting point. It is only an example of the type of script you could create for your deployment. The comments in the script provide some guidance on how to modify it for your needs. You might need to modify it further, beyond what has been indicated by the comments.
The script has been designed to:
- Deploy the forwarder tar file to a list of hosts specified in a file that the
HOST_FILE
variable points to. You need to provide this file in the format specified in the script comments.
- Specifies the location on each destination host where the tar file will get unpacked.
- Specifies a Splunk Enterprise instance to serve as a deployment server that can subsequently manage and update the forwarders. This is an optional configuration step.
- Starts the forwarder executable on each host.
The script contains many comments. Study it carefully before modifying it for your environment.
#!/bin/sh # This script provides an example of how to deploy the universal forwarder # to many remote hosts via ssh and common Unix commands. # # Note that this script will only work unattended if you have SSH host keys # setup & unlocked. # To learn more about this subject, do a web search for "openssh key management". # ----------- Adjust the variables below ----------- # Populate this file with a list of hosts that this script should install to, # with one host per line. You may use hostnames or IP addresses, as # applicable. You can also specify a user to login as, for example, "foo@host". # # Example file contents: # server1 # server2.foo.lan # you@server3 # 10.2.3.4 HOSTS_FILE="/path/to/splunk.install.list" # This is the path to the tar file that you wish to push out. You may # wish to make this a symlink to a versioned tar file, so as to minimize # updates to this script in the future. SPLUNK_FILE="/path/to/splunk-latest.tar.gz" # This is where the tar file will be stored on the remote host during # installation. The file will be removed after installation. You normally will # not need to set this variable, as $NEW_PARENT will be used by default. # # SCRATCH_DIR="/home/your_dir/temp" # The location in which to unpack the new tar file on the destination # host. This can be the same parent dir as for your existing # installation (if any). This directory will be created at runtime, if it does # not exist. NEW_PARENT="/opt" # After installation, the forwarder will become a deployment client of this # host. Specify the host and management (not web) port of the deployment server # that will be managing these forwarder instances. If you do not wish to use # a deployment server, you may leave this unset. # # DEPLOY_SERV="splunkDeployMaster:8089" # A directory on the current host in which the output of each installation # attempt will be logged. This directory need not exist, but the user running # the script must be able to create it. The output will be stored as # $LOG_DIR/<[user@]destination host>. If installation on a host fails, a # corresponding file will also be created, as # $LOG_DIR/<[user@]destination host>.failed. LOG_DIR="/tmp/splunkua.install" # For conversion from normal Splunk Enterprise installs to the universal forwarder: # After installation, records of progress in indexing files (monitor) # and filesystem change events (fschange) can be imported from an existing # Splunk Enterprise (non-forwarder) installation. Specify the path to that installation here. # If there is no prior Splunk Enterprise instance, you may leave this variable empty (""). # # NOTE: THIS SCRIPT WILL STOP THE SPLUNK ENTERPRISE INSTANCE SPECIFIED HERE. # # OLD_SPLUNK="/opt/splunk" # If you use a non-standard SSH port on the remote hosts, you must set this. # SSH_PORT=1234 # You must remove this line, or the script will refuse to run. This is to # ensure that all of the above has been read and set. :) UNCONFIGURED=1 # ----------- End of user adjustable settings ----------- # helpers. faillog() { echo "$1" >&2 } fail() { faillog "ERROR: $@" exit 1 } # error checks. test "$UNCONFIGURED" -eq 1 && \ fail "This script has not been configured. Please see the notes in the script." test -z "$HOSTS_FILE" && \ fail "No hosts configured! Please populate HOSTS_FILE." test -z "$NEW_PARENT" && \ fail "No installation destination provided! Please set NEW_PARENT." test -z "$SPLUNK_FILE" && \ fail "No splunk package path provided! Please populate SPLUNK_FILE." if [ ! -d "$LOG_DIR" ]; then mkdir -p "$LOG_DIR" || fail "Cannot create log dir at \"$LOG_DIR\"!" fi # some setup. if [ -z "$SCRATCH_DIR" ]; then SCRATCH_DIR="$NEW_PARENT" fi if [ -n "$SSH_PORT" ]; then SSH_PORT_ARG="-p${SSH_PORT}" SCP_PORT_ARG="-P${SSH_PORT}" fi NEW_INSTANCE="$NEW_PARENT/splunkforwarder" # this would need to be edited for non-UA... DEST_FILE="${SCRATCH_DIR}/splunk.tar.gz" # # # create script to run remotely. # # REMOTE_SCRIPT=" fail() { echo ERROR: \"\$@\" >&2 test -f \"$DEST_FILE\" && rm -f \"$DEST_FILE\" exit 1 } " ### try untarring tar file. REMOTE_SCRIPT="$REMOTE_SCRIPT (cd \"$NEW_PARENT\" && tar -zxf \"$DEST_FILE\") || fail \"could not untar /$DEST_FILE to $NEW_PARENT.\" " ### setup seed file to migrate input records from old instance, and stop old instance. if [ -n "$OLD_SPLUNK" ]; then REMOTE_SCRIPT="$REMOTE_SCRIPT echo \"$OLD_SPLUNK\" > \"$NEW_INSTANCE/old_splunk.seed\" || fail \"could not create seed file.\" \"$OLD_SPLUNK/bin/splunk\" stop || fail \"could not stop existing splunk.\" " fi ### setup deployment client if requested. if [ -n "$DEPLOY_SERV" ]; then REMOTE_SCRIPT="$REMOTE_SCRIPT \"$NEW_INSTANCE/bin/splunk\" set deploy-poll \"$DEPLOY_SERV\" --accept-license --answer-yes \ --auto-ports --no-prompt || fail \"could not setup deployment client\" " fi ### start new instance. REMOTE_SCRIPT="$REMOTE_SCRIPT \"$NEW_INSTANCE/bin/splunk\" start --accept-license --answer-yes --auto-ports --no-prompt || \ fail \"could not start new splunk instance!\" " ### remove downloaded file. REMOTE_SCRIPT="$REMOTE_SCRIPT rm -f "$DEST_FILE" || fail \"could not delete downloaded file $DEST_FILE!\" " # # # end of remote script. # # exec 5>&1 # save stdout. exec 6>&2 # save stderr. echo "In 5 seconds, will copy install file and run the following script on each" echo "remote host:" echo echo "====================" echo "$REMOTE_SCRIPT" echo "====================" echo echo "Press Ctrl-C to cancel..." test -z "$MORE_FASTER" && sleep 5 echo "Starting." # main loop. install on each host. for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi LOG="$LOG_DIR/$DST" FAILLOG="${LOG}.failed" echo "Installing on host $DST, logging to $LOG." # redirect stdout/stderr to logfile. exec 1> "$LOG" exec 2> "$LOG" if ! ssh $SSH_PORT_ARG "$DST" \ "if [ ! -d \"$NEW_PARENT\" ]; then mkdir -p \"$NEW_PARENT\"; fi"; then touch "$FAILLOG" # restore stdout/stderr. exec 1>&5 exec 2>&6 continue fi # copy tar file to remote host. if ! scp $SCP_PORT_ARG "$SPLUNK_FILE" "${DST}:${DEST_FILE}"; then touch "$FAILLOG" # restore stdout/stderr. exec 1>&5 exec 2>&6 continue fi # run script on remote host and log appropriately. if ! ssh $SSH_PORT_ARG "$DST" "$REMOTE_SCRIPT"; then touch "$FAILLOG" # remote script failed. else test -e "$FAILLOG" && rm -f "$FAILLOG" # cleanup any past attempt log. fi # restore stdout/stderr. exec 1>&5 exec 2>&6 if [ -e "$FAILLOG" ]; then echo " --> FAILED <--" else echo " SUCCEEDED" fi done FAIL_COUNT=`ls "${LOG_DIR}" | grep -c '\.failed$'` if [ "$FAIL_COUNT" -gt 0 ]; then echo "There were $FAIL_COUNT remote installation failures." echo " ( see ${LOG_DIR}/*.failed )" else echo echo "Done." fi # Voila.
Execute the script
After executing the script, check any log files that it generates for errors. The sample script in this topic saves logs to /tmp/splunkua.install/<destination hostname>
.
Install a *nix universal forwarder | Make a universal forwarder part of a host image |
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3
Feedback submitted, thanks!